C-1
Cisco ASA 5500 Series Configuration Guide using the CLI
APPENDIX
C

Configuring an External Server for Authorization

and Authentication

This appendix describes how to configure an external LDAP, RADIUS, or TACACS+ server to support
AAA on the ASA. Before you configure the ASA to use an external server, you must configure the server
with the correct ASA authorization attributes and, from a subset of these attributes, assign specific
permissions to individual users.
This appendix includes the following sections:
Understanding Policy Enforcement of Permissions and Attributes, pageC-1
Configuring an External LDAP Server, pageC-2
Configuring an External RADIUS Server, pageC-27
RADIUS Accounting Disconnect Reason Codes, page C-37

Understanding Policy Enforcement of Permissions and

Attributes

The ASA supports several methods of applying user authorization attributes (also called user
entitlements or permissions) to VPN connections. You can configure the ASA to obtain user attributes
from a Dynamic Access Policy (DAP) on the ASA, from an external authentication and/or authorization
AAA server (RADIUS or LDAP), from a group policy on the ASA, or from all three.
If the ASA receives attributes from all sources, the attributes are evaluated, merged, and applied to the
user policy. If there are conflicts between attributes coming from the DAP, the AAA server, or the group
policy, those attributes obtained from the DAP always take precedence.
The ASA applies attributes in the following order (see FigureC-1).
1. DAP attributes on the ASA—Introduced in Version 8.0(2), these attributes take precedence over all
others. If you set a bookmark or URL list in DAP, it overrides a bookmark or URL list set in the
group policy.
2. User attributes on the AAA server—The server returns these attributes after successful user
authentication and/or authorization. Do not confuse these with attributes that are set for individual
users in the local AAA database on the ASA (User Accounts in ASDM).
3. Group policy configured on the ASA—If a RADIUS server returns the value of the RADIUS CLASS
attribute IETF-Class-25 (OU=group-policy) for the user, the ASA places the user in the group policy
of the same name and enforces any attributes in the group policy that are not returned by the server.