Cisco ASA 5505 User Manual

Page 790

Advertising
background image

38-16

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 38 Configuring AAA Rules for Network Access

Configuring Authorization for Network Access

ip:inacl#2=ACE-2

.

.

.

ip:inacl#n=ACE-n

The following example is of an attribute-value pair:

ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0

6.

If the access list required is more than approximately 4 KB in length, Cisco Secure ACS responds
with an access-challenge message that includes a portion of the access list, formatted as described
previously, and a State attribute (IETF RADIUS attribute 24), which includes control data used by
Cisco Secure ACS to track the progress of the download. Cisco Secure ACS fits as many complete
attribute-value pairs into the cisco-av-pair RADIUS VSA as it can without exceeding the maximum
RADIUS message size.

The ASA stores the portion of the access list received and responds with another access-request
message that includes the same attributes as the first request for the downloadable access list, plus
a copy of the State attribute received in the access-challenge message.

This process repeats until Cisco Secure ACS sends the last of the access list in an access-accept
message.

Configuring Cisco Secure ACS for Downloadable Access Lists

You can configure downloadable access lists on Cisco Secure ACS as a shared profile component and
then assign the access list to a group or to an individual user.

The access list definition consists of one or more ASA commands that are similar to the extended
access-list command (see command reference), except without the following prefix:

access-list

acl_name extended

The following example is a downloadable access list definition on Cisco Secure ACS version 3.3:

+--------------------------------------------+

| Shared profile Components |

| |

| Downloadable IP ACLs Content |

| |

| Name: acs_ten_acl |

| |

| ACL Definitions |

| |

| permit tcp any host 10.0.0.254 |

| permit udp any host 10.0.0.254 |

| permit icmp any host 10.0.0.254 |

| permit tcp any host 10.0.0.253 |

| permit udp any host 10.0.0.253 |

| permit icmp any host 10.0.0.253 |

| permit tcp any host 10.0.0.252 |

| permit udp any host 10.0.0.252 |

| permit icmp any host 10.0.0.252 |

| permit ip any any |

+--------------------------------------------+

For more information about creating downloadable access lists and associating them with users, see the
user guide for your version of Cisco Secure ACS.

On the ASA, the downloaded access list has the following name:

#ACSACL#-ip-acl_name-number

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals