Cisco ASA 5505 Configuration Manual page 711
Asa 5500 series
Hide thumbs
Also See for ASA 5505:
- Getting started manual (168 pages) ,
- Administrator's manual (118 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Chapter 33
Configuring AAA Rules for Network Access
6.
Configuring Cisco Secure ACS for Downloadable Access Lists
You can configure downloadable access lists on Cisco Secure ACS as a shared profile component and
then assign the access list to a group or to an individual user.
The access list definition consists of one or more adaptive security appliance commands that are similar
to the extended access-list command, except without the following prefix:
access-list acl_name extended
The following example is a downloadable access list definition on Cisco Secure ACS version 3.3:
+--------------------------------------------+
| Shared profile Components
|
|
|
| Name:
|
|
|
| permit tcp any host 10.0.0.254
| permit udp any host 10.0.0.254
| permit icmp any host 10.0.0.254
| permit tcp any host 10.0.0.253
| permit udp any host 10.0.0.253
| permit icmp any host 10.0.0.253
| permit tcp any host 10.0.0.252
| permit udp any host 10.0.0.252
| permit icmp any host 10.0.0.252
| permit ip any any
+--------------------------------------------+
For more information about creating downloadable access lists and associating them with users, see the
user guide for your version of Cisco Secure ACS.
On the adaptive security appliance, the downloaded access list has the following name:
#ACSACL#-ip-acl_name-number
The acl_name argument is the name that is defined on Cisco Secure ACS (acs_ten_acl in the preceding
example), and number is a unique version ID generated by Cisco Secure ACS.
The downloaded access list on the adaptive security appliance consists of the following lines:
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.254
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit udp any host 10.0.0.254
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit icmp any host 10.0.0.254
access-list #ACSACL#-ip-asa-acs_ten_acl-3b5385f7 permit tcp any host 10.0.0.253
OL-20339-01
If the access list required is more than approximately 4 KB in length, Cisco Secure ACS responds
with an access-challenge message that contains a portion of the access list, formatted as described
above, and an State attribute (IETF RADIUS attribute 24), which contains control data used by
Cisco Secure ACS to track the progress of the download. Cisco Secure ACS fits as many complete
attribute-value pairs into the cisco-av-pair RADIUS VSA as it can without exceeding the maximum
RADIUS message size.
The adaptive security appliance stores the portion of the access list received and responds with
another access-request message containing the same attributes as the first request for the
downloadable access list plus a copy of the State attribute received in the access-challenge message.
This repeats until Cisco Secure ACS sends the last of the access list in an access-accept message.
Downloadable IP ACLs Content
acs_ten_acl
ACL Definitions
Configuring Authorization for Network Access
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Cisco ASA 5500 Series Configuration Guide using ASDM
33-13
- Quick Links:
- Starting Asdm
- Downloading the Asdm Launcher
Hide quick links:
Advertisement
Chapters
Table of Contents
