C-27
Cisco ASA 5500 Series Configuration Guide using the CLI
AppendixC Configuring an External Server for Authorization and Authentication
Configuring an External RADIUS Server
Configuring an External RADIUS Server
This section presents an overview of the RADIUS configuration procedure and defines the Cisco
RADIUS attributes. It includes the following topics:
Reviewing the RADIUS Configuration Procedure, page C-27
ASA RADIUS Authorization Attributes, pageC-27
ASA IETF RADIUS Authorization Attributes, pageC-36
RADIUS Accounting Disconnect Reason Codes, page C-37

Reviewing the RADIUS Configuration Procedure

This section describes the RADIUS configuration steps required to support authentication and
authorization of ASA users.
To set up the RADIUS server to interoperate with the ASA, preform the following steps:
Step1 Load the ASA attributes into the RADIUS server. The method you use to load the attributes depends on
which type of RADIUS server you are using:
If you are using Cisco ACS: the server already has these attributes integrated. You can skip this step.
If you are using a FUNK RADIUS server: Cisco supplies a dictionary file that contains all the ASA
attributes. Obtain this dictionary file, cisco3k.dct, from the Cisco Download Software Center on
Cisco.com or from the ASA CD-ROM. Load the dictionary file on your server.
For RADIUS servers from other vendors (for example, Microsoft Internet Authentication Service):
you must manually define each ASA attribute. To define an attribute, use the attribute name or
number, type, value, and vendor code (3076). For a list of ASA RADIUS authorization attributes
and values, see Table C -7.
Step2 Set up the users or groups with the permissions and attributes to send during IPsec or SSL tunnel
establishment.

ASA RADIUS Authorization Attributes

Authorization refers to the process of enforcing permissions or attributes. A RADIUS server defined as
an authentication server enforces permissions or attributes if they are configured. These attributes have
vendor ID 3076.
Table C -7 lists the ASA supported RADIUS attributes that can be used for user authorization.
Note RADIUS attribute names do not contain the cVPN3000 prefix. Cisco Secure ACS 4.x supports this new
nomenclature, but attribute names in pre-4.0 ACS releases still include the cVPN3000 prefix. The ASAs
enforce the RADIUS attributes based on attribute numeric ID, not attribute name. LDAP attributes are
enforced by their name, not by the ID.
All attributes listed in Table C -7 are downstream attributes that are sent from the RADIUS server to the
ASA except for the following attribute numbers: 146, 150, 151, and 152. These attribute numbers are
upstream attributes that are sent from the ASA to the RADIUS server. RADIUS attributes 146 and 150