41-12
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter41 Configuring AAA Rules for Network Access
Configuring Authorization for Network Access
Configuring a RADIUS Server to Send Downloadable Access Control Lists
This section describes how to configure Cisco Secure ACS or a third-party RADIUS server and includes
the following topics:
About the Downloadable Access List Feature and Cisco Secure ACS, page41-12
Configuring Cisco Secure ACS for Downloadable Access Lists, page41-13
Configuring Any RADIUS Server for Downloadable Access Lists, page41-14
Converting Wildcard Netmask Expressions in Downloadable Access Lists, page41-15

About the Downloadable Access List Feature and Cisco Secure ACS

Downloadable access lists is the most scalable means of using Cisco Secure ACS to provide the
appropriate access lists for each user. It provides the following capabilities:
Unlimited access list size—Downloadable access lists are sent using as many RADIUS packets as
required to transport the full access list from Cisco Secure ACS to the ASA.
Simplified and centralized management of access lists—Downloadable access lists enable you to
write a set of access lists once and apply it to many user or group profiles and distribute it to many
ASAs.
This approach is most useful when you have very large access list sets that you want to apply to more
than one Cisco Secure ACS user or group; however, its ability to simplify Cisco Secure ACS user and
group management makes it useful for access lists of any size.
The ASA receives downloadable access lists from Cisco Secure ACS using the following process:
1. The ASA sends a RADIUS authentication request packet for the user session.
2. If Cisco Secure ACS successfully authenticates the user, Cisco Secure ACS returns a RADIUS
access-accept message that includes the internal name of the applicable downloadable access list.
The Cisco IOS cisco-av-pair RADIUS VSA (vendor 9, attribute 1) includes the following
attribute-value pair to identify the downloadable access list set:
ACS:CiscoSecure-Defined-ACL=acl-set-name
where acl-set-name is the internal name of the downloadable access list, which is a combination of
the name assigned to the access list by the Cisco Secure ACS administrator and the date and time
that the access list was last modified.
3. The ASA examines the name of the downloadable access list and determines if it has previously
received the named downloadable access list.
If the ASA has previously received the named downloadable access list, communication with
Cisco Secure ACS is complete and the ASA applies the access list to the user session. Because
the name of the downloadable access list includes the date and time that it was last modified,
matching the name sent by Cisco Secure ACS to the name of an access list previously
downloaded means that the ASA has the most recent version of the downloadable access list.
If the ASA has not previously received the named downloadable access list, it may have an
out-of-date version of the access list or it may not have downloaded any version of the access
list. In either case, the ASA issues a RADIUS authentication request using the downloadable
access list name as the username in the RADIUS request and a null password attribute. In a
cisco-av-pair RADIUS VSA, the request also includes the following attribute-value pairs:
AAA:service=ip-admission
AAA:event=acl-download