AAA Server and Local Database Support
RADIUS Server Support
The FWSM supports RADIUS servers.
This section contains the following topics:
•
•
•
Authentication Methods
The FWSM supports the following authentication methods with RADIUS:
•
•
•
•
Attribute Support
The FWSM supports the following sets of RADIUS attributes:
•
•
•
•
•
•
RADIUS Authorization Functions
The FWSM can use RADIUS servers for user authorization for network access using dynamic access
lists or access list names per user. To implement dynamic access lists, you must configure the RADIUS
server to support it. When the user authenticates, the RADIUS server sends a downloadable access list
or access list name to the security appliance. Access to a given service is either permitted or denied by
the access list. The security appliance deletes the access list when the authentication session expires.
TACACS+ Server Support
The security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
11-4
Authentication Methods, page 11-4
Attribute Support, page 11-4
TACACS+ Server Support, page 11-4
PAP
CHAP
MS-CHAPv1
MS-CHAPv2
MS-CHAPv2 supports password management when the RADIUS server communicates with a
Windows Active Directory server. When your password expires, you are prompted to change your
password (see the auth-prompt command).
Authentication attributes defined in RFC 2138.
Accounting attributes defined in RFC 2139.
RADIUS attributes for tunneled protocol support, defined in RFC 2868.
Cisco IOS VSAs, identified by RADIUS vendor ID 9.
Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076.
Microsoft VSAs, defined in RFC 2548.
Chapter 11
Configuring AAA Servers and the Local Database
OL-20748-01