Chapter 8 Configuring AAA Rules for Network Access

Configuring Authorization for Network Access

Configuring a RADIUS Server to Send Downloadable Access Control Lists

This section describes how to configure Cisco Secure ACS or a third-party RADIUS server and includes the following topics:

About the Downloadable ACL Feature and Cisco Secure ACS, page 8-14

Configuring Cisco Secure ACS for Downloadable ACLs, page 8-15

Configuring Any RADIUS Server for Downloadable ACLs, page 8-16

Converting Wildcard Netmask Expressions in Downloadable ACLs, page 8-17

About the Downloadable ACL Feature and Cisco Secure ACS

Downloadable ACLs is the most scalable means of using Cisco Secure ACS to provide the appropriate ACLs for each user. It provides the following capabilities:

Unlimited ACL size—Downloadable ACLs are sent using as many RADIUS packets as required to transport the full ACL from Cisco Secure ACS to the ASA.

Simplified and centralized management of ACLs—Downloadable ACLs enable you to write a set of ACLs once and apply it to many user or group profiles and distribute it to many ASAs.

This approach is most useful when you have very large ACL sets that you want to apply to more than one Cisco Secure ACS user or group; however, its ability to simplify Cisco Secure ACS user and group management makes it useful for ACLs of any size.

The ASA receives downloadable ACLs from Cisco Secure ACS using the following process:

1.The ASA sends a RADIUS authentication request packet for the user session.

2.If Cisco Secure ACS successfully authenticates the user, Cisco Secure ACS returns a RADIUS access-accept message that includes the internal name of the applicable downloadable ACL. The Cisco IOS cisco-av-pair RADIUS VSA (vendor 9, attribute 1) includes the following attribute-value pair to identify the downloadable ACL set:

ACS:CiscoSecure-Defined-ACL=acl-set-name

where acl-set-nameis the internal name of the downloadable ACL, which is a combination of the name assigned to the ACL by the Cisco Secure ACS administrator and the date and time that the ACL was last modified.

3.The ASA examines the name of the downloadable ACL and determines if it has previously received the named downloadable ACL.

If the ASA has previously received the named downloadable ACL, communication with Cisco Secure ACS is complete and the ASA applies the ACL to the user session. Because the name of the downloadable ACL includes the date and time that it was last modified, matching the name sent by Cisco Secure ACS to the name of an ACL previously downloaded means that the ASA has the most recent version of the downloadable ACL.

If the ASA has not previously received the named downloadable ACL, it may have an out-of-date version of the ACL or it may not have downloaded any version of the ACL. In either case, the ASA issues a RADIUS authentication request using the downloadable ACL name as the username in the RADIUS request and a null password attribute. In a cisco-av-pair RADIUS VSA, the request also includes the following attribute-value pairs:

AAA:service=ip-admission

AAA:event=acl-download

In addition, the ASA signs the request with the Message-Authenticator attribute (IETF RADIUS attribute 80).

Cisco ASA Series Firewall ASDM Configuration Guide

8-14

Page 253 Page 255
Page 254
Image 254
Cisco Systems ASA 5555-X, ASA 5505, ASA 5545-X, ASA 5585-X, ASA 5580 About the Downloadable ACL Feature and Cisco Secure ACS
Page 253 Page 255

ASA Services Module, ASA 5555-X, ASA 5545-X, ASA 5585-X, ASA 5580 specifications

Cisco Systems has long been a leader in the field of network security, and its Adaptive Security Appliance (ASA) series is a testament to this expertise. Within the ASA lineup, models such as the ASA 5505, ASA 5580, ASA 5585-X, ASA 5545-X, and ASA 5555-X stand out for their unique features, capabilities, and technological advancements.

The Cisco ASA 5505 is designed for small businesses or branch offices. It provides essential security features such as firewall protection, flexible VPN capabilities, and intrusion prevention. The ASA 5505 supports a user-friendly interface, allowing for straightforward management. Its built-in threat detection and prevention tools provide a layered defense, and with scalability in mind, it can accommodate various expansion options as organizational needs grow.

Moving up the line, the ASA 5580 delivers greater throughput and advanced security features. This model is suited for medium to large enterprises that require robust protection against increasingly sophisticated threats. Its multi-core architecture allows it to manage high volumes of traffic seamlessly while maintaining excellent performance levels. The ASA 5580 also supports application-layer security and customizable access policies, making it highly adaptable to diverse security environments.

The ASA 5585-X further enhances Cisco's security offerings with advanced malware protection and extensive security intelligence capabilities. It incorporates next-generation firewall features, including context-aware security, and supports advanced threat detection technologies. This model is ideal for large enterprises or data centers that prioritize security while ensuring uninterrupted network performance and availability.

For enterprises requiring a balance of performance and security, the ASA 5545-X presents a compelling option. This model features scalable performance metrics, high availability, and integrated advanced threat protection. Coupled with advanced endpoint protection and detailed monitoring capabilities, the ASA 5545-X enables organizations to manage their security posture effectively.

Lastly, the ASA 5555-X blends cutting-edge technologies with strong security infrastructures. It boasts high throughput and the ability to execute deep packet inspections. Its sophisticated architecture supports threat intelligence feeds that provide real-time security updates, making it a powerful tool against modern threats.

Each of these Cisco ASA models brings specific advantages to varied environments. Their integrative capabilities enable businesses to enhance their security postures while benefiting from seamless scalability and management. As cybersecurity threats evolve, these advanced appliances play a vital role in protecting valuable digital assets.
Top Page Image Contents