Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 Configuring Accounting for Network Access

8-17

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter8 Configuring AAA Rules for Network Access

Configuring Accounting for Network Access

The username argument is the name of the user that is being authenticated.

The downloaded ACL on the ASA consists of the following lines. Notice the order based on the numbers

identified on the RADIUS server.

access-list AAA-user-bcham34-79AD4A08 permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0

access-list AAA-user-bcham34-79AD4A08 permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0

access-list AAA-user-bcham34-79AD4A08 permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0

access-list AAA-user-bcham34-79AD4A08 deny tcp any any

access-list AAA-user-bcham34-79AD4A08 deny udp any any

Downloaded ACLs have two spaces between the word “access-list” and the name. These spaces serve to

differentiate a downloaded ACL from a local ACL. In this example, “79AD4A08” is a hash value

generated by the ASA to help determine when ACL definitions have changed on the RADIUS server.

If a RADIUS server pr ovides dow nloadabl e ACLs to Cisco VPN 3000 series concentrators as well as to

the ASA, you may need the ASA to convert wildcard netmask expressions to standard netmask

expressions. This is because Cisco VPN 3000 series concentrators support wildcard netmask

expressions, but the ASA only supports standard netmask expressions. Configuring the ASA to convert

wildcard netmask expressions helps minimize the effects of these differences on how you configure

downloadable ACLs on your RADIUS servers. Translation of wildcard netmask expressions means that

downloadable ACLs written for Cisco VPN 3000 series concentrators can be used by the ASA without

altering the configuration of the downloadable ACLs on the RADIUS server.

You configure ACL netmask conversion on a per-server basis when you add a server to a server group

in the Configuration > Device Management > Users/AAA > AAA Server Groups > AAA Server Groups

area.

To download a name for an ACL that you already created on the ASA from the RADIUS server when a

user authenticates, configure the IETF RADIUS filter-id attribute (attribute number 11) as follows:

filter-id=acl_name

Note In Cisco Secure ACS, the values for filter-id attributes are specified in boxes in the HTML interface,

omitting filter-id= and entering only acl_name.

For information about making the filter-id attribute value unique per user, see the documentation for your

RADIUS server.

To create an ACL on the ASA, see Chapter21, “Using the ACL Manager,” in the general operations

configuration guide.

Configuring Accounting for Network Access

The ASA can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP

traffic that passes through the ASA. If that traffic is also authenticated, then the AAA server can maintain

accounting information by username. If the traffic is not authenticated, the AAA server can maintain

Cisco Systems Configuring Accounting for Network Access