Radius authorization functions, Tacacs+ server support, Rsa/sdi server support – Cisco ASA 5505 User Manual

Page 685: Rsa/sdi version support, Two-step authentication process

Advertising
background image

35-5

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 35 Configuring AAA Servers and the Local Database

Information About AAA

A list of attributes is available at the following URL:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1
605508

RADIUS Authorization Functions

The ASA can use RADIUS servers for user authorization of VPN remote access and firewall
cut-through-proxy sessions using dynamic access lists or access list names per user. To implement
dynamic access lists, you must configure the RADIUS server to support it. When the user authenticates,
the RADIUS server sends a downloadable access list or access list name to the ASA. Access to a given
service is either permitted or denied by the access list. The ASA deletes the access list when the
authentication session expires.

In addtition to access lists, the ASA supports many other attributes for authorization and setting of
permissions for VPN remote access and firewall cut-through proxy sessions. For a complete list of
authorization attributes, see the following URL:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp16055
08

TACACS+ Server Support

The ASA supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.

RSA/SDI Server Support

The RSA SecureID servers are also known as SDI servers.

This section includes the following topics:

RSA/SDI Version Support, page 35-5

Two-step Authentication Process, page 35-5

RSA/SDI Primary and Replica Servers, page 35-6

RSA/SDI Version Support

The ASA supports SDI Versions 5.x, 6.x, and 7.x. SDI uses the concepts of an SDI primary and SDI
replica servers. Each primary and its replicas share a single node secret file. The node secret file has its
name based on the hexadecimal value of the ACE or Server IP address, with .sdi appended.

A version 5.x, 6.x, or 7.x SDI server that you configure on the ASA can be either the primary or any one
of the replicas. See the

“RSA/SDI Primary and Replica Servers” section on page 35-6

for information

about how the SDI agent selects servers to authenticate users.

Two-step Authentication Process

SDI Versions 5.x, 6.x, or 7.x use a two-step process to prevent an intruder from capturing information
from an RSA SecurID authentication request and using it to authenticate to another server. The agent
first sends a lock request to the SecurID server before sending the user authentication request. The server

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals