EasyManuals Logo
Home>Cisco>Network Hardware>ASA Series

Cisco ASA Series User Manual

Cisco ASA Series
2164 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #2151 background imageLoading...
Page #2151 background image
1-27
Cisco ASA Series CLI Configuration Guide
Appendix 1 Configuring an External Server for Authorization and Authentication
Configuring an External RADIUS Server
Reviewing the RADIUS Configuration Procedure
This section describes the RADIUS configuration steps required to support authentication and
authorization of ASA users.
To set up the RADIUS server to interoperate with the ASA, perform the following steps:
Step 1 Load the ASA attributes into the RADIUS server. The method you use to load the attributes depends on
which type of RADIUS server you are using:
• If you are using Cisco ACS: the server already has these attributes integrated. You can skip this step.
• For RADIUS servers from other vendors (for example, Microsoft Internet Authentication Service):
you must manually define each ASA attribute. To define an attribute, use the attribute name or
number, type, value, and vendor code (3076). For a list of ASA RADIUS authorization attributes
and values, see Table 1-7.
Step 2 Set up the users or groups with the permissions and attributes to send during IPsec or SSL tunnel
establishment.
ASA RADIUS Authorization Attributes
Authorization refers to the process of enforcing permissions or attributes. A RADIUS server defined as
an authentication server enforces permissions or attributes if they are configured. These attributes have
vendor ID 3076.
Table 1-7 lists the ASA supported RADIUS attributes that can be used for user authorization.
Note RADIUS attribute names do not contain the cVPN3000 prefix. Cisco Secure ACS 4.x supports this new
nomenclature, but attribute names in pre-4.0 ACS releases still include the cVPN3000 prefix. The ASAs
enforce the RADIUS attributes based on attribute numeric ID, not attribute name. LDAP attributes are
enforced by their name, not by the ID.
All attributes listed in Table 1-7 are downstream attributes that are sent from the RADIUS server to the
ASA except for the following attribute numbers: 146, 150, 151, and 152. These attribute numbers are
upstream attributes that are sent from the ASA to the RADIUS server. RADIUS attributes 146 and 150
are sent from the ASA to the RADIUS server for authentication and authorization requests. All four
previously listed attributes are sent from the ASA to the RADIUS server for accounting start,
interim-update, and stop requests. Upstream RADIUS attributes 146, 150, 151, and 152 were introduced
in ASA version 8.4.3.
Cisco ACS 5.x and Cisco ISE do not support IPv6 framed IP addresses for IP address assignment using
RADIUS authentication in ASA Version 9.0.

Table of Contents

Other manuals for Cisco ASA Series

Preview: Configuration Guide
Configuration Guide428 pages
Preview: Mount And Connect
Mount And Connect12 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ASA Series and is the answer not in the manual?

Cisco ASA Series Specifications

General IconGeneral
BrandCisco
ModelASA Series
CategoryNetwork Hardware
LanguageEnglish

Related product manuals