12-4
ASDM User Guide
OL-12180-01
Chapter12 Configuring AAA Servers and User Accounts
AAA Server and Local Database Support
This section contains the following topics:
•Authentication Methods, page 12-4
•Attribute Support, page 12-4
•RADIUS Authorization Functions, page 12-4
Authentication Methods
The security appliance supports the following authentication methods with RADIUS:
•PAP—For all connection types.
•CHAP—For L2TP-over-IPSec.
•MS-CHAPv1—For L2TP-over-IPSec.
•MS-CHAPv2—For L2TP-over-IPSec, and for regular IPSec remote access connections when the
password management feature is enabled.
Attribute Support
The security appliance supports the following sets of RADIUS attributes:
•Authentication attributes defined in RFC 2138.
•Accounting attributes defined in RFC 2139.
•RADIUS attributes for tunneled protocol support, defined in RFC 2868.
•Cisco IOS VSAs, identified by RADIUS vendor ID 9.
•Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076.
•Microsoft VSAs, defined in RFC 2548.
RADIUS Authorization Functions
Thesecurity appliance can use RADIUS servers for user authorization for network access using dynamic
access lists or access list names per user. To implement dynamic access lists, you must configure the
RADIUS server to support it. When the user authenticates, the RADIUS server sends a downloadable
access list or access list name to the security appliance. Access to a givenservice is either permitted or
denied by the access list. The security appliance deletes the access list when the authentication session
expires.
TACACS+ Server SupportThe security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
SDI Server SupportThe RSA SecureID servers are also known as SDI servers.
This section contains the following topics:
•SDI Version Support, page 12-5