Configuring accounting for network access – Cisco ASA 5505 User Manual

38-18

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 38 Configuring AAA Rules for Network Access

Configuring Accounting for Network Access

Downloaded access lists have two spaces between the word “access-list” and the name. These spaces
serve to differentiate a downloaded access list from a local access list. In this example, “79AD4A08” is
a hash value generated by the ASA to help determine when access list definitions have changed on the
RADIUS server.

Converting Wildcard Netmask Expressions in Downloadable Access Lists

If a RADIUS server provides downloadable access lists to Cisco VPN 3000 series concentrators as well
as to the ASA, you may need the ASA to convert wildcard netmask expressions to standard netmask
expressions. This is because Cisco VPN 3000 series concentrators support wildcard netmask
expressions, but the ASA only supports standard netmask expressions. Configuring the ASA to convert
wildcard netmask expressions helps minimize the effects of these differences on how you configure
downloadable access lists on your RADIUS servers. Translation of wildcard netmask expressions means
that downloadable access lists written for Cisco VPN 3000 series concentrators can be used by the ASA
without altering the configuration of the downloadable access lists on the RADIUS server.

You configure access list netmask conversion on a per-server basis using the acl-netmask-convert
command, available in the aaa-server configuration mode. For more information about configuring a
RADIUS server, see the

“Configuring AAA Server Groups” section on page 35-11

. For more

information about the acl-netmask-convert command, see the command reference.

Configuring a RADIUS Server to Download Per-User Access Control List Names

To download a name for an access list that you already created on the ASA from the RADIUS server
when a user authenticates, configure the IETF RADIUS filter-id attribute (attribute number 11) as
follows:

filter-id=

acl_name

Note

In Cisco Secure ACS, the values for filter-id attributes are specified in boxes in the HTML interface,
omitting filter-id= and entering only acl_name.

For information about making the filter-id attribute value unique per user, see the documentation for your
RADIUS server.

To create an access list on the ASA, see

Chapter 15, “Adding an Extended Access List.”

Configuring Accounting for Network Access

The ASA can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP
traffic that passes through the ASA. If that traffic is also authenticated, then the AAA server can maintain
accounting information by username. If the traffic is not authenticated, the AAA server can maintain
accounting information by IP address. Accounting information includes session start and stop times,
username, the number of bytes that pass through the ASA for the session, the service used, and the
duration of each session.

To configure accounting, perform the following steps: