Configuring Authorization for Network Access
Configuring Any RADIUS Server for Downloadable Access Lists
You can configure any RADIUS server that supports Cisco IOS RADIUS VSAs to send dynamic access
lists to the FWSM in a Cisco IOS RADIUS cisco-av-pair VSA (VSA number 1). Cisco IOS RADIUS
VSAs are identified by RADIUS vendor ID 9.
In the cisco-av-pair VSA, configure one or more ACEs that are similar to the access-list extended
command, except that you replace the following command prefix:
access-list acl_name extended
with the following text:
ip:inacl#nnn=
The nnn argument is a number in the range from 0 to 999999999 that identifies the order of the command
statement to be configured on the FWSM. If this parameter is omitted, the sequence value is 0, and the
order of the ACEs inside the cisco-av-pair RADIUS VSA is used.
The following example is an access list definition as it should be configured for a cisco-av-pair VSA on
a RADIUS server:
ip:inacl#1=permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
ip:inacl#99=deny tcp any any
ip:inacl#2=permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
ip:inacl#100=deny udp any any
ip:inacl#3=permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
For information about making unique per user the access lists that are sent in the cisco-av-pair attribute,
see the documentation for your RADIUS server.
On the FWSM, the downloaded access list name has the following format:
AAA-user-username
The username argument is the name of the user that is being authenticated.
The downloaded access list on the FWSM consists of the following lines. Notice the order based on the
numbers identified on the RADIUS server.
access-list
access-list
access-list
access-list
access-list
Downloaded access lists have two spaces between the word "access-list" and the name. These spaces
serve to differentiate a downloaded access list from a local access list. In this example, "79AD4A08" is
a hash value generated by the FWSM to help determine when access list definitions have changed on the
RADIUS server.
Configuring a RADIUS Server to Download Per-User Access Control List Names
To download a name for an access list that you already created on the FWSM from the RADIUS server
when a user authenticates, configure the IETF RADIUS filter-id attribute (attribute number 11) as
follows:
filter-id=acl_name
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
17-12
AAA-user-bcham34-79AD4A08 permit tcp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
AAA-user-bcham34-79AD4A08 permit udp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
AAA-user-bcham34-79AD4A08 permit icmp 10.1.0.0 255.0.0.0 10.0.0.0 255.0.0.0
AAA-user-bcham34-79AD4A08 deny tcp any any
AAA-user-bcham34-79AD4A08 deny udp any any
Chapter 17
Applying AAA for Network Access
OL-20748-01