7-18
Cisco ASA Series Firewall CLI Configuration Guide
Chapter7 Configuring AAA Rules for Network Access
Configuring Authorization for Network Access
Simplified and centralized management of ACLs—Downloadable ACLs enable you to write a set of
ACLs once and apply it to many user or group profiles and distribute it to many ASAs.
This approach is most useful when you have very large ACL sets that you want to apply to more than
one Cisco Secure ACS user or group; however, its ability to simplify Cisco Secure ACS user and group
management makes it useful for ACLs of any size.
The ASA receives downloadable ACLs from Cisco Secure ACS using the following process:
1. The ASA sends a RADIUS authentication request packet for the user session.
2. If Cisco Secure ACS successfully authenticates the user, Cisco Secure ACS returns a RADIUS
access-accept message that includes the internal name of the applicable downloadable ACL. The
Cisco IOS cisco-av-pair RADIUS VSA (vendor 9, attribute 1) includes the following attribute-value
pair to identify the downloadable ACL set:
ACS:CiscoSecure-Defined-ACL=acl-set-name
where acl-set-name is the internal name of the downloadable ACL, which is a combination of the
name assigned to the ACL by the Cisco Secure ACS administrator and the date and time that the
ACL was last modified.
3. The ASA examines the name of the downloadable ACL and determines if it has previously received
the named downloadable ACL.
If the ASA has previously received the named downloadable ACL, communication with Cisco
Secure ACS is complete and the ASA applies the ACL to the user session. Because the name of
the downloadable ACL includes the date and time that it was last modified, matching the name
sent by Cisco Secure ACS to the name of an ACL previously downloaded means that the ASA
has the most recent version of the downloadable ACL.
If the ASA has not previously received the named downloadable ACL, it may have an
out-of-date version of the ACL or it may not have downloaded any version of the ACL. In either
case, the ASA issues a RADIUS authentication request using the downloadable ACL name as
the username in the RADIUS request and a null password attribute. In a cisco-av-pair RADIUS
VSA, the request also includes the following attribute-value pairs:
AAA:service=ip-admission
AAA:event=acl-download
In addition, the ASA signs the request with the Message-Authenticator attribute (IETF RADIUS
attribute 80).
4. After receipt of a RADIUS authentication request that has a username attribute that includes the
name of a downloadable ACL, Cisco Secure ACS authenticates the request by checking the
Message-Authenticator attribute. If the Message-Authenticator attribute is missing or incorrect,
Cisco Secure ACS ignores the request. The presence of the Message-Authenticator attribute
prevents malicious use of a downloadable ACL name to gain unauthorized network access. The
Message-Authenticator attribute and its use are defined in RFC 2869, RADIUS Extensions,
available at http://www.ietf.org.
5. If the ACL required is less than approximately 4 KB in length, Cisco Secure ACS responds with an
access-accept message that includes the ACL. The largest ACL that can fit in a single access-accept
message is slightly less than 4 KB, because part of the message must be other required attributes.
Cisco Secure ACS sends the downloadable ACL in a cisco-av-pair RADIUS VSA. The ACL is
formatted as a series of attribute-value pairs that each include an ACE and are numbered serially:
ip:inacl#1=ACE-1
ip:inacl#2=ACE-2
.
.