Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Configuring Any RADIUS Server for Downloadable ACLs

8-16

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter8 Configuring AAA Rules for Network Access

Configuring Authorization for Network Access

| permit udp any host 10.0.0.253 |

| permit icmp any host 10.0.0.253 |

| permit tcp any host 10.0.0.252 |

| permit udp any host 10.0.0.252 |

| permit icmp any host 10.0.0.252 |

| permit ip any any |

+--------------------------------------------+

For more information about creating downloadable ACLs and associating them with users, see the user

guide for your version of Cisco Secure ACS.

On the ASA, the downloaded ACL has the following name:

#ACSACL#-ip-acl_name-number

The acl_name argument is the name that is defined on Cisco Secure ACS (acs_ten_acl in the preceding

example), and number is a unique version ID generated by Cisco Secure ACS.

The downloaded ACL on the ASA consists of the following lines:

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.254

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.254

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.254

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.253

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.253

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.253

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.252

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.252

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.252

access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit ip any any

Configuring Any RADIUS Server for Downloadable ACLs

You can configure any RADIUS server that supports Cisco IOS RADIUS VSAs to send user-specific

ACLs to the ASA in a Cisco IOS RADIUS cisco-av-pair VSA (vendor 9, attribute 1).

In the cisco-av-pair VSA, configure one or more ACEs that are similar to the access-list extended

command (see command reference), except that you replace the following command prefix:

access-list acl_name extended

with the following text:

ip:inacl#nnn=

The nnn argument is a number in the range from 0 to 999999999 that identifies the order of the command

statement to be configured on the ASA. If this parameter is omitted, the sequence value is 0, and the

order of the ACEs inside the cisco-av-pair RADIUS VSA is used.

The following example is an ACL definition as it should be configured for a cisco-av-pair VSA on a

RADIUS server:

ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0

ip:inacl#99=deny tcp any any

ip:inacl#2=permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0

ip:inacl#100=deny udp any any

ip:inacl#3=permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0

For information about making unique per user the ACLs that are sent in the cisco-av-pair attribute, see

the documentation for your RADIUS server.

On the ASA, the downloaded ACL name has the following format:

AAA-user-username

Cisco Systems Configuring Any RADIUS Server for Downloadable ACLs

Models: ASA 5545-X ASA 5555-X ASA 5580 ASA 5585-X ASA Services Module ASA 5505