1-5
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring AAA Servers and the Local Database
  Information About AAA
• A list of attributes is available at the following URL: 
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1
605508
RADIUS Authorization Functions
The ASA can use RADIUS servers for user authorization of VPN remote access and firewall 
cut-through-proxy sessions using dynamic access lists or access list names per user. To implement 
dynamic access lists, you must configure the RADIUS server to support it. When the user authenticates, 
the RADIUS server sends a downloadable access list or access list name to the ASA. Access to a given 
service is either permitted or denied by the access list. The ASA deletes the access list when the 
authentication session expires.
In addition to access lists, the ASA supports many other attributes for authorization and setting of 
permissions for VPN remote access and firewall cut-through proxy sessions. For a complete list of 
authorization attributes, see the following URL: 
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp16055
08
TACACS+ Server Support
The ASA supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
RSA/SDI Server Support
The RSA SecureID servers are also known as SDI servers.
This section includes the following topics:
• RSA/SDI Version Support, page 1-5
• Two-step Authentication Process, page 1-5
• RSA/SDI Primary and Replica Servers, page 1-6
RSA/SDI Version Support
The ASA supports SDI Versions 5.x, 6.x, and 7.x. SDI uses the concepts of an SDI primary and SDI 
replica servers. Each primary and its replicas share a single node secret file. The node secret file has its 
name based on the hexadecimal value of the ACE or Server IP address, with .sdi appended.
A version 5.x, 6.x, or 7.x SDI server that you configure on the ASA can be either the primary or any one 
of the replicas. See the “RSA/SDI Primary and Replica Servers” section on page 1-6 for information 
about how the SDI agent selects servers to authenticate users.
Two-step Authentication Process
SDI Versions 5.x, 6.x, or 7.x use a two-step process to prevent an intruder from capturing information 
from an RSA SecurID authentication request and using it to authenticate to another server. The agent 
first sends a lock request to the SecurID server before sending the user authentication request. The server