Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Configuring Any RADIUS Server for Downloadable Access Lists

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter41 Configuring AAA Rules for Network Access

Configuring Authorization for Network Access

| Name: acs_ten_acl |

| ACL Definitions |

| permit tcp any host 10.0.0.254 |

| permit udp any host 10.0.0.254 |

| permit icmp any host 10.0.0.254 |

| permit tcp any host 10.0.0.253 |

| permit udp any host 10.0.0.253 |

| permit icmp any host 10.0.0.253 |

| permit tcp any host 10.0.0.252 |

| permit udp any host 10.0.0.252 |

| permit icmp any host 10.0.0.252 |

| permit ip any any |

+--------------------------------------------+

For more information about creating downloadable access lists and associating them with users, see the

user guide for your version of Cisco Secure ACS.

On the ASA, the downloaded access list has the following name:

#ACSACL#-ip-acl_name-number

The acl_name argument is the name that is defined on Cisco Secure ACS (acs_ten_acl in the preceding

example), and number is a unique version ID generated by Cisco Secure ACS.

The downloaded access list on the ASA consists of the following lines:

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.254

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.254

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.254

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.253

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.253

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.253

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.252

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.252

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.252

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit ip any any

Configuring Any RADIUS Server for Downloadable Access Lists

You can configure any RADIUS server that supports Cisco IOS RADIUS VSAs to send user-specific

access lists to the ASA in a Cisco IOS RADIUS cisco-av-pair VSA (vendor 9, attribute 1).

In the cisco-av-pair VSA, configure one or more ACEs that are similar to the access-list extended

command (see command reference), except that you replace the following command prefix:

access-list acl_name extended

with the following text:

ip:inacl#nnn=

The nnn argument is a number in the range from 0 to 999999999 that identifies the order of the command

statement to be configured on the ASA. If this parameter is omitted, the sequence value is 0, and the

order of the ACEs inside the cisco-av-pair RADIUS VSA is used.

The following example is an access list definition as it should be configured for a cisco-av-pair VSA on

a RADIUS server:

ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0

ip:inacl#99=deny tcp any any

Contents

Cisco Systems Configuring Any RADIUS Server for Downloadable Access Lists

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505