Cisco ASA 5500 Series Configuration Guide using ASDM, 6.4 and 6.6
Configuring an External Server for Security Appliance User Authorization
Downloads: This chapterpdf (PDF - 1.35MB) The complete bookPDF (PDF - 26.27MB) | Feedback

Configuring an External Server for Authorization and Authentication

Table Of Contents

Configuring an External Server for Authorization and Authentication

Understanding Policy Enforcement of Permissions and Attributes

Configuring an External LDAP Server

Organizing the ASA for LDAP Operations

Searching the LDAP Hierarchy

Binding the ASA to the LDAP Server

Defining the ASA LDAP Configuration

Supported Cisco Attributes for LDAP Authorization

Cisco AV Pair Attribute Syntax

Cisco AV Pairs ACL Examples

Active Directory/LDAP VPN Remote Access Authorization Examples

User-Based Attributes Policy Enforcement

Placing LDAP Users in a Specific Group Policy

Enforcing Static IP Address Assignment for AnyConnect Tunnels

Enforcing Dial-in Allow or Deny Access

Enforcing Logon Hours and Time-of-Day Rules

Configuring an External RADIUS Server

Reviewing the RADIUS Configuration Procedure

ASA RADIUS Authorization Attributes

ASA IETF RADIUS Authorization Attributes

RADIUS Accounting Disconnect Reason Codes

Configuring an External TACACS+ Server


Configuring an External Server for Authorization and Authentication


This appendix describes how to configure an external LDAP, RADIUS, or TACACS+ server to support AAA on the ASA. Before you configure the ASA to use an external server, you must configure the server with the correct ASA authorization attributes and, from a subset of these attributes, assign specific permissions to individual users.

This appendix includes the following sections:

Understanding Policy Enforcement of Permissions and Attributes

Configuring an External LDAP Server

Configuring an External RADIUS Server

RADIUS Accounting Disconnect Reason Codes

Understanding Policy Enforcement of Permissions and Attributes

The ASA supports several methods of applying user authorization attributes (also called user entitlements or permissions) to VPN connections. You can configure the ASA to obtain user attributes from a Dynamic Access Policy (DAP) on the ASA, from an external authentication and/or authorization AAA server (RADIUS or LDAP), from a group policy on the ASA, or from all three.

If the ASA receives attributes from all sources, the attributes are evaluated, merged, and applied to the user policy. If there are conflicts between attributes coming from the DAP, the AAA server, or the group policy, those attributes obtained from the DAP always take precedence.

The ASA applies attributes in the following order (see Figure C-1).

1. DAP attributes on the ASA—Introduced in Version 8.0(2), these attributes take precedence over all others. If you set a bookmark or URL list in DAP, it overrides a bookmark or URL list set in the group policy.

2. User attributes on the AAA server—The server returns these attributes after successful user authentication and/or authorization. Do not confuse these with attributes that are set for individual users in the local AAA database on the ASA (User Accounts in ASDM).

3. Group policy configured on the ASA—If a RADIUS server returns the value of the RADIUS CLASS attribute IETF-Class-25 (OU=group-policy) for the user, the ASA places the user in the group policy of the same name and enforces any attributes in the group policy that are not returned by the server.

For LDAP servers, any attribute name can be used to set the group policy for the session. The LDAP attribute map that you configure on the ASA maps the LDAP attribute to the Cisco attribute IETF-Radius-Class.

4. Group policy assigned by the Connection Profile (called tunnel-group in the CLI)—The Connection Profile has the preliminary settings for the connection, and includes a default group policy applied to the user before authentication. All users connecting to the ASA initially belong to this group, which provides any attributes that are missing from the DAP, user attributes returned by the server, or the group policy assigned to the user.

5. Default group policy assigned by the ASA (DfltGrpPolicy)—System default attributes provide any values that are missing from the DAP, user attributes, group policy, or connection profile.

Figure C-1 Policy Enforcement Flow

Configuring an External LDAP Server

The VPN 3000 concentrator and the ASA/PIX 7.0 software required a Cisco LDAP schema for authorization operations. Beginning with Version 7.1.x, the ASA performs authentication and authorization using the native LDAP schema, and the Cisco schema is no longer needed.

You configure authorization (permission policy) using an LDAP attribute map. For examples, see the "Active Directory/LDAP VPN Remote Access Authorization Examples" section.

This section describes the structure, schema, and attributes of an LDAP server and includes the following topics:

Organizing the ASA for LDAP Operations

Defining the ASA LDAP Configuration

Active Directory/LDAP VPN Remote Access Authorization Examples

The specific steps of these processes vary, depending on which type of LDAP server that you are using.


Note For more information about the LDAP protocol, see RFCs 1777, 2251, and 2849.


Organizing the ASA for LDAP Operations

This section describes how to search within the LDAP hierarchy and perform authenticated binding to the LDAP server on the ASA and includes the following topics:

Searching the LDAP Hierarchy

Binding the ASA to the LDAP Server

Your LDAP configuration should reflect the logical hierarchy of your organization. For example, suppose an employee at your company, Example Corporation, is named Employee1. Employee1 works in the Engineering group. Your LDAP hierarchy could have one or many levels. You might decide to set up a single-level hierarchy in which Employee1 is considered a member of Example Corporation. Or you could set up a multi-level hierarchy in which Employee1 is considered to be a member of the department Engineering, which is a member of an organizational unit called People, which is itself a member of Example Corporation. See Figure C-2 for an example of a multi-level hierarchy.

A multi-level hierarchy has more detail, but searches return results more quickly in a single-level hierarchy.

Figure C-2 A Multi-Level LDAP Hierarchy

Searching the LDAP Hierarchy

The ASA lets you tailor the search within the LDAP hierarchy. You configure the following three fields on the ASA to define where in the LDAP hierarchy that your search begins, the extent, and the type of information it is looking for. Together these fields allow you to limit the search of the hierarchy to only the part that includes the user permissions.

LDAP Base DN defines where in the LDAP hierarchy that the server should begin searching for user information when it receives an authorization request from the ASA.

Search Scope defines the extent of the search in the LDAP hierarchy. The search proceeds this many levels in the hierarchy below the LDAP Base DN. You can choose to have the server search only the level immediately below it, or it can search the entire subtree. A single level search is quicker, but a subtree search is more extensive.

Naming Attribute(s) defines the RDN that uniquely identifies an entry in the LDAP server. Common naming attributes can include cn (Common Name), sAMAccountName, and userPrincipalName.

Figure C-2 shows a sample LDAP hierarchy for Example Corporation. Given this hierarchy, you could define your search in different ways. Table C-1 shows two sample search configurations.

In the first example configuration, when Employee1 establishes the IPsec tunnel with LDAP authorization required, the ASA sends a search request to the LDAP server, indicating it should search for Employee1 in the Engineering group. This search is quick.

In the second example configuration, the ASA sends a search request indicating that the server should search for Employee1 within Example Corporation. This search takes longer.

Table C-1 Example Search Configurations

No.
LDAP Base DN
Search Scope
Naming Attribute
Result

1

group= Engineering,ou=People,dc=ExampleCorporation, dc=com

One Level

cn=Employee1

Quicker search

2

dc=ExampleCorporation,dc=com

Subtree

cn=Employee1

Longer search


Binding the ASA to the LDAP Server

Some LDAP servers (including the Microsoft Active Directory server) require the ASA to establish a handshake via authenticated binding before they accept requests for any other LDAP operations. The ASA uses the Login Distinguished Name (DN) and Login Password to establish a trust relationship (bind) with an LDAP server before a user can search. The Login DN represents a user record in the LDAP server that the administrator uses for binding.

When binding, the ASA authenticates to the server using the Login DN and the Login Password. When performing a Microsoft Active Directory read-only operation (such as for authentication, authorization, or group search), the ASA can bind with a Login DN with fewer privileges. For example, the Login DN can be a user whose AD "Member Of" designation is part of Domain Users. For VPN password management write operations, the Login DN needs elevated privileges and must be part of the Account Operators AD group. Microsoft Active Directory group search (also called "MemberOf retrieval") was added in ASA Version 8.0.4.

An example of a Login DN includes the following entries:

cn=Binduser1,ou=Admins,ou=Users,dc=company_A,dc=com

See your LDAP Administrator guide for specific Login DN requirements for read and write operations.

The ASA supports the following features:

Simple LDAP authentication with an unencrypted password using the default port 389 . You can also use other ports instead of the default port.

Secure LDAP (LDAP-S) using the default port 636. You can also use other ports instead of the default port.

Simple Authentication and Security Layer (SASL) MD5

SASL Kerberos

The ASA does not support anonymous authentication.


Note As an LDAP client, the ASA does not support the transmission of anonymous binds or requests.


Defining the ASA LDAP Configuration

This section describes how to define the LDAP AV-pair attribute syntax and includes the following topics:

Supported Cisco Attributes for LDAP Authorization

Cisco AV Pair Attribute Syntax

Cisco AV Pairs ACL Examples


Note The ASA enforces the LDAP attributes based on attribute name, not numeric ID. RADIUS attributes, on the other hand, are enforced by numeric ID, not by name.

Authorization refers to the process of enforcing permissions or attributes. An LDAP server defined as an authentication or authorization server enforces permissions or attributes if they are configured.

For software Version 7.0, LDAP attributes include the cVPN3000 prefix. For software Versions 7.1 and later, this prefix was removed.


Supported Cisco Attributes for LDAP Authorization

This section provides a complete list of attributes (see Table C-2) for the ASA 5500, VPN 3000 concentrator, and PIX 500 series ASAs. The table includes attribute support information for the VPN 3000 concentrator and PIX 500 series ASAs to assist you in configuring networks with a combination of these devices.

Table C-2 ASA Supported Cisco Attributes for LDAP Authorization 

Attribute Name
VPN 3000
ASA
PIX
Syntax/Type
Single or Multi-Valued
Possible Values

Access-Hours

Y

Y

Y

String

Single

Name of the time-range
(for example, Business-Hours)

Allow-Network-Extension- Mode

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

Authenticated-User-Idle- Timeout

Y

Y

Y

Integer

Single

1 - 35791394 minutes

Authorization-Required

Y

   

Integer

Single

0 = No
1 = Yes

Authorization-Type

Y

   

Integer

Single

0 = None
1 = RADIUS
2 = LDAP

Banner1

Y

Y

Y

String

Single

Banner string for clientless and client SSL VPN, and IPsec clients.

Banner2

Y

Y

Y

String

Single

Banner string for clientless and client SSL VPN, and IPsec clients.

Cisco-AV-Pair

Y

Y

Y

String

Multi

An octet string in the following format:

[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port]

For more information, see the "Cisco AV Pair Attribute Syntax" section."

Cisco-IP-Phone-Bypass

Y

Y

Y

Integer

Single

0 = Disabled
1 = Enabled

Cisco-LEAP-Bypass

Y

Y

Y

Integer

Single

0 = Disabled
1 = Enabled

Client-Intercept-DHCP- Configure-Msg

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

Client-Type-Version-Limiting

Y

Y

Y

String

Single

IPsec VPN client version number string

Confidence-Interval

Y

Y

Y

Integer

Single

10 - 300 seconds

DHCP-Network-Scope

Y

Y

Y

String

Single

IP address

DN-Field

Y

Y

Y

String

Single

Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, and use-entire-name.

Firewall-ACL-In

 

Y

Y

String

Single

Access list ID

Firewall-ACL-Out

 

Y

Y

String

Single

Access list ID

Group-Policy

 

Y

Y

String

Single

Sets the group policy for the remote access VPN session. For version 8.2 and later, use this attribute instead of IETF-Radius-Class. You can use one of the three following formats:

group policy name

OU=group policy name

OU=group policy name:

IE-Proxy-Bypass-Local

     

Boolean

Single

0=Disabled
1=Enabled

IE-Proxy-Exception-List

     

String

Single

A list of DNS domains. Entries must be separated by the new line character sequence (\n).

IE-Proxy-Method

Y

Y

Y

Integer

Single

1 = Do not modify proxy settings
2 = Do not use proxy
3 = Auto detect
4 = Use ASA setting

IE-Proxy-Server

Y

Y

Y

Integer

Single

IP address

IETF-Radius-Class

Y

Y

Y

 

Single

Sets the group policy for the remote access VPN session. For versions 8.2 and later, we recommend that you use the Group-Policy attribute. You can use one of the three following formats:

group policy name

OU=group policy name

OU=group policy name:

IETF-Radius-Filter-Id

Y

Y

Y

String

Single

Access list name that is defined on the ASA. The setting applies to VPN remote access IPsec and SSL VPN clients.

IETF-Radius-Framed-IP-Address

Y

Y

Y

String

Single

An IP address. The setting applies to VPN remote access IPsec and SSL VPN clients.

IETF-Radius-Framed-IP-Netmask

Y

Y

Y

String

Single

An IP address mask. The setting applies to VPN remote access IPsec and SSL VPN clients.

IETF-Radius-Idle-Timeout

Y

Y

Y

Integer

Single

Seconds

IETF-Radius-Service-Type

Y

Y

Y

Integer

Single

1 = Login
2 = Framed
5 = Remote access
6 = Administrative
7 = NAS prompt

IETF-Radius-Session-Timeout

Y

Y

Y

Integer

Single

Seconds

IKE-Keep-Alives

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Allow-Passwd-Store

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Authentication

Y

Y

Y

Integer

Single

0 = None
1 = RADIUS
2 = LDAP (authorization only)
3 = NT Domain
4 = SDI (RSA)
5 = Internal
6 = RADIUS with Expiry
7 = Kerberos or Active Directory

IPsec-Auth-On-Rekey

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Backup-Server-List

Y

Y

Y

String

Single

Server addresses (space delimited)

IPsec-Backup-Servers

Y

Y

Y

String

Single

1 = Use client-configured list
2 = Disabled and clear client list
3 = Use backup server list

IPsec-Client-Firewall-Filter- Name

Y

   

String

Single

Specifies the name of the filter to be pushed to the client as firewall policy.

IPsec-Client-Firewall-Filter- Optional

Y

Y

Y

Integer

Single

0 = Required
1 = Optional

IPsec-Default-Domain

Y

Y

Y

String

Single

Specifies the single default domain name to send to the client (1 - 255 characters).

IPsec-Extended-Auth-On-Rekey

 

Y

Y

String

Single

String

IPsec-IKE-Peer-ID-Check

Y

Y

Y

Integer

Single

1 = Required
2 = If supported by peer certificate
3 = Do not check

IPsec-IP-Compression

Y

Y

Y

Integer

Single

0 = Disabled
1 = Enabled

IPsec-Mode-Config

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Over-UDP

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Over-UDP-Port

Y

Y

Y

Integer

Single

4001 - 49151; The default is 10000.

IPsec-Required-Client-Firewall-
Capability

Y

Y

Y

Integer

Single

0 = None
1 = Policy defined by remote FW Are-You-There (AYT)
2 = Policy pushed CPP
4 = Policy from server

IPsec-Sec-Association

Y

   

String

Single

Name of the security association

IPsec-Split-DNS-Names

Y

Y

Y

String

Single

Specifies the list of secondary domain names to send to the client (1 - 255 characters).

IPsec-Split-Tunneling-Policy

Y

Y

Y

Integer

Single

0 = Tunnel everything
1 = Split tunneling
2 = Local LAN permitted

IPsec-Split-Tunnel-List

Y

Y

Y

String

Single

Specifies the name of the network or access list that describes the split tunnel inclusion list.

IPsec-Tunnel-Type

Y

Y

Y

Integer

Single

1 = LAN-to-LAN
2 = Remote access

IPsec-User-Group-Lock

Y

   

Boolean

Single

0 = Disabled
1 = Enabled

L2TP-Encryption

Y

   

Integer

Single

Bitmap:

1 = Encryption required
2 = 40 bit
4 = 128 bits
8 = Stateless-Req
15 = 40/128-Encr/Stateless-Req

L2TP-MPPC-Compression

Y

   

Integer

Single

0 = Disabled
1 = Enabled

MS-Client-Subnet-Mask

Y

Y

Y

String

Single

An IP address

PFS-Required

Y

Y

Y

Boolean

Single

0 = No
1 = Yes

Port-Forwarding-Name

Y

Y

 

String

Single

Name string (for example, "Corporate-Apps")

PPTP-Encryption

Y

   

Integer

Single

Bitmap:

1 = Encryption required
2 = 40 bits
4 = 128 bits
8 = Stateless-Required

Example:
15 = 40/128-Encr/Stateless-Req

PPTP-MPPC-Compression

Y

   

Integer

Single

0 = Disabled
1 = Enabled

Primary-DNS

Y

Y

Y

String

Single

An IP address

Primary-WINS

Y

Y

Y

String

Single

An IP address

Privilege-Level

     

Integer

Single

For usernames, 0 - 15

Required-Client- Firewall-Vendor-Code

Y

Y

Y

Integer

Single

1 = Cisco Systems (with Cisco Integrated Client)
2 = Zone Labs
3 = NetworkICE
4 = Sygate
5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent)

Required-Client-Firewall- Description

Y

Y

Y

String

Single

Required-Client-Firewall- Product-Code

Y

Y

Y

Integer

Single

Cisco Systems Products:

1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC)

Zone Labs Products:

1 = Zone Alarm
2 = Zone AlarmPro
3 = Zone Labs Integrity

NetworkICE Product:

1 = BlackIce Defender/Agent

Sygate Products:

1 = Personal Firewall
2 = Personal Firewall Pro
3 = Security Agent

Require-HW-Client-Auth

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

Require-Individual-User-Auth

Y

Y

Y

Integer

Single

0 = Disabled
1 = Enabled

Secondary-DNS

Y

Y

Y

String

Single

An IP address

Secondary-WINS

Y

Y

Y

String

Single

An IP address

SEP-Card-Assignment

     

Integer

Single

Not used

Simultaneous-Logins

Y

Y

Y

Integer

Single

0 - 2147483647

Strip-Realm

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

TACACS-Authtype

Y

Y

Y

Interger

Single

TACACS-Privilege-Level

Y

Y

Y

Interger

Single

Tunnel-Group-Lock

 

Y

Y

String

Single

Name of the tunnel group or "none"

Tunneling-Protocols

Y

Y

Y

Integer

Single

1 = PPTP
2 = L2TP
4 = IPSec (IKEv1)
8 = L2TP/IPSec
16 = WebVPN
32 = SVC
64 = IPsec (IKEv2)
8 and 4 are mutually exclusive
(0 - 11, 16 - 27, 32 - 43, 48 - 59 are legal values).

Use-Client-Address

Y

   

Boolean

Single

0 = Disabled
1 = Enabled

User-Auth-Server-Name

Y

   

String

Single

IP address or hostname

User-Auth-Server-Port

Y

   

Integer

Single

Port number for server protocol

User-Auth-Server-Secret

Y

   

String

Single

Server password

WebVPN-ACL-Filters

 

Y

 

String

Single

Webtype access list name

WebVPN-Apply-ACL-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

With Version 8.0 and later, this attribute is not required.

WebVPN-Citrix-Support-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

With Versions 8.0 and later, this attribute is not required.

WebVPN-Enable-functions

     

Integer

Single

Not used - deprecated

WebVPN-Exchange-Server- Address

     

String

Single

Not used - deprecated

WebVPN-Exchange-Server- NETBIOS-Name

     

String

Single

Not used - deprecated

WebVPN-File-Access-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-File-Server-Browsing-
Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-File-Server-Entry- Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Forwarded-Ports

 

Y

 

String

Single

Port-forward list name

WebVPN-Homepage

Y

Y

 

String

Single

A URL such as http://www.example.com

WebVPN-Macro-Substitution-
Value1

Y

Y

 

String

Single

See the SSL VPN Deployment Guide for examples at the following URL:

http://supportwiki.cisco.com/ViewWiki/index.php/Cisco_ASA_5500_SSL_VPN_Deployment_Guide%2C_Version_8.x

WebVPN-Macro-Substitution-
Value2

Y

Y

 

String

Single

See the SSL VPN Deployment Guide for examples at the following URL:

http://supportwiki.cisco.com/ViewWiki/index.php/Cisco_ASA_5500_SSL_VPN_Deployment_Guide%2C_Version_8.x

WebVPN-Port-Forwarding- Auto-Download-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Port-Forwarding- Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Port-Forwarding- Exchange-Proxy-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Port-Forwarding- HTTP-Proxy-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Single-Sign-On- Server-Name

 

Y

 

String

Single

Name of the SSO Server (1 - 31 characters).

WebVPN-SVC-Client-DPD

Y

Y

 

Integer

Single

0 = Disabled
n = Dead peer detection value in seconds (30 - 3600)

WebVPN-SVC-Compression

Y

Y

 

Integer

Single

0 = None
1 = Deflate compression

WebVPN-SVC-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-SVC-Gateway-DPD

Y

Y

 

Integer

Single

0 = Disabled
n = Dead peer detection value in seconds (30 - 3600)

WebVPN-SVC-Keepalive

Y

Y

 

Integer

Single

0 = Disabled
n = Keepalive value in seconds (15 - 600)

WebVPN-SVC-Keep-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-SVC-Rekey-Method

Y

Y

 

Integer

Single

0 = None
1 = SSL
2 = New tunnel
3 = Any (sets to SSL)

WebVPN-SVC-Rekey-Period

Y

Y

 

Integer

Single

0 = Disabled
n = Retry period in minutes
(4 - 10080)

WebVPN-SVC-Required-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-URL-Entry-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-URL-List

 

Y

 

String

Single

URL list name


Cisco AV Pair Attribute Syntax

The Cisco Attribute Value (AV) pair (ID Number 26/9/1) can be used to enforce access lists from a RADIUS server (like Cisco ACS), or from an LDAP server via an LDAP attribute map.

The syntax of each Cisco-AV-Pair rule is as follows:

[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port]

Table C-3 describes the syntax rules.

Table C-3 AV-Pair Attribute Syntax Rules 

Field
Description

Action

Action to perform if the rule matches a deny or a permit.

Destination

Network or host that receives the packet. Specify it as an IP address, a hostname, or the any keyword. If using an IP address, the source wildcard mask must follow.

Destination Wildcard Mask

The wildcard mask that applies to the destination address.

Log

Generates a FILTER log message. You must use this keyword to generate events of severity level 9.

Operator

Logic operators: greater than, less than, equal to, not equal to.

Port

The number of a TCP or UDP port in the range of 0 - 65535.

Prefix

A unique identifier for the AV pair (for example: ip:inacl#1= for standard access lists or webvpn:inacl# = for clientless SSL VPN access lists). This field only appears when the filter has been sent as an AV pair.

Protocol

Number or name of an IP protocol. Either an integer in the range of 0 - 255 or one of the following keywords: icmp, igmp, ip, tcp, udp.

Source

Network or host that sends the packet. Specify it as an IP address, a hostname, or the any keyword. If using an IP address, the source wildcard mask must follow. This field does not apply to Clientless SSL VPN because the ASA has the role of the source or proxy.

Source Wildcard Mask

The wildcard mask that applies to the source address. This field does not apply to Clientless SSL VPN because the ASA has the role of the source or proxy.


Cisco AV Pairs ACL Examples

Table C-4 shows examples of Cisco AV pairs and describes the permit or deny actions that result.


Note Each ACL # in inacl# must be unique. However, they do not need to be sequential (for example, 1, 2, 3, 4). That is, they could be 5, 45, 135.


Table C-4 Examples of Cisco AV Pairs and Their Permitting or Denying Action 

Cisco AV Pair Example
Permitting or Denying Action
ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 
10.159.2.0 0.0.0.255 log

Allows IP traffic between the two hosts using a full tunnel IPsec or SSL VPN client.

ip:inacl#2=permit TCP any host 
10.160.0.1 eq 80 log

Allows TCP traffic from all hosts to the specific host on port 80 only using a full tunnel IPsec or SSL VPN client.

webvpn:inacl#1=permit url 
http://www.example.com
webvpn:inacl#2=deny url smtp://server
webvpn:inacl#3=permit url 
cifs://server/share

Allows clientlessSSL VPN traffic to the URL specified, denies SMTP traffic to a specific server, and allows file share access (CIFS) to the specified server.

webvpn:inacl#1=permit tcp 10.86.1.2 eq 
2222 log
webvpn:inacl#2=deny tcp 10.86.1.2 eq 
2323 log

Denies Telnet access and permits SSH access on non-default ports 2323 and 2222, respectively, or other application traffic flows using these ports for clientless SSL VPN.

webvpn:inacl#1=permit url 
ssh://10.86.1.2 
webvpn:inacl#35=permit tcp 10.86.1.5 eq 
22 log
webvpn:inacl#48=deny url 
telnet://10.86.1.2 
webvpn:inacl#100=deny tcp 10.86.1.6 eq 
23

Allows clientless SSL VPN SSH access to default port 22 and denies Telnet access to port 23, respectively. This example assumes that you are using Telnet or SSH Java plug-ins enforced by these ACLs.


URL Types Supported in ACLs

The URL may be a partial URL, contain wildcards for the server, or include a port.

The following URL types are supported.

any All URLs

https://

post://

ssh://

cifs://

ica://

rdp://

telnet://

citrix://

imap4://

rdp2://

vnc://

citrixs://

ftp://

smart-tunnel://

 

http://

pop3://

smtp://

 


Note The URLs listed in this table appear in CLI or ASDM menus based on whether or not the associated plug-in is enabled.


Guidelines for Using Cisco-AV Pairs (ACLs)

Use Cisco-AV pair entries with the ip:inacl# prefix to enforce access lists for remote IPsec and SSL VPN Client (SVC) tunnels.

Use Cisco-AV pair entries with the webvpn:inacl# prefix to enforce access lists for SSL VPN clientless (browser-mode) tunnels.

For webtype ACLs, you do not specify the source because the ASA is the source.

Table C-5 lists the tokens for the Cisco-AV-pair attribute:

Table C-5 ASA-Supported Tokens 

Token
Syntax Field
Description

ip:inacl#Num=

N/A (Identifier)

(Where Num is a unique integer.) Starts all AV pair access control lists. Enforces access lists for remote IPsec and SSL VPN (SVC) tunnels.

webvpn:inacl#Num=

N/A (Identifier)

(Where Num is a unique integer.) Starts all clientless SSL AV pair access control lists. Enforces access lists for clientless (browser-mode) tunnels.

deny

Action

Denies action. (Default)

permit

Action

Allows action.

icmp

Protocol

Internet Control Message Protocol (ICMP)

1

Protocol

Internet Control Message Protocol (ICMP)

IP

Protocol

Internet Protocol (IP)

0

Protocol

Internet Protocol (IP)

TCP

Protocol

Transmission Control Protocol (TCP)

6

Protocol

Transmission Control Protocol (TCP)

UDP

Protocol

User Datagram Protocol (UDP)

17

Protocol

User Datagram Protocol (UDP)

any

Hostname

Rule applies to any host.

host

Hostname

Any alpha-numeric string that denotes a hostname.

log

Log

When the event occurs, a filter log message appears. (Same as permit and log or deny and log.)

lt

Operator

Less than value

gt

Operator

Greater than value

eq

Operator

Equal to value

neq

Operator

Not equal to value

range

Operator

Inclusive range. Should be followed by two values.


Active Directory/LDAP VPN Remote Access Authorization Examples

This section presents example procedures for configuring authentication and authorization on the ASA using the Microsoft Active Directory server. It includes the following topics:

User-Based Attributes Policy Enforcement

Placing LDAP Users in a Specific Group Policy

Enforcing Static IP Address Assignment for AnyConnect Tunnels

Enforcing Dial-in Allow or Deny Access

Enforcing Logon Hours and Time-of-Day Rules

Other configuration examples available on Cisco.com include the following TechNotes.

ASA/PIX: Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example at the following URL:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

PIX/ASA 8.0: Use LDAP Authentication to Assign a Group Policy at Login at the following URL:

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

User-Based Attributes Policy Enforcement

You can map any standard LDAP attribute to a well-known Vendor-Specific Attribute (VSA) as well as map one or more LDAP attribute(s) to one or more Cisco LDAP attributes.

The following example shows how to configure the ASA to enforce a simple banner for a user configured on an AD LDAP server. On the server, use the Office field in the General tab to enter the banner text. This field uses the attribute named physicalDeliveryOfficeName. On the ASA, create an attribute map that maps physicalDeliveryOfficeName to the Cisco attribute Banner1. During authentication, the ASA retrieves the value of physicalDeliveryOfficeName from the server, maps the value to the Cisco attribute Banner1, and displays the banner to the user.

This example applies to any connection type, including the IPsec VPN client, AnyConnect SSL VPN client, or clientless SSL VPN. In the example, User1 connects through a clientless SSL VPN connection.

To configure the attributes for a user on the AD or LDAP Server, perform the following steps:


Step 1 Right-click a user.

The Properties dialog box appears (see Figure C-3).

Step 2 Click the General tab and enter banner text in the Office field, which uses the AD/LDAP attribute physicalDeliveryOfficeName.

Figure C-3 LDAP User Configuration

Step 3 Create an LDAP attribute map on the ASA.

The following example creates the map Banner and maps the AD/LDAP attribute physicalDeliveryOfficeName to the Cisco attribute Banner1:

hostname(config)# ldap attribute-map Banner
hostname(config-ldap-attribute-map)# map-name physicalDeliveryOfficeName Banner1
 
   

Step 4 Associate the LDAP attribute map to the AAA server.

The following example enters the aaa server host configuration mode for the host 10.1.1.2 in the AAA server group MS_LDAP, and associates the attribute map Banner that you created in Step 3:

hostname(config)# aaa-server MS_LDAP host 10.1.1.2
hostname(config-aaa-server-host)# ldap-attribute-map Banner
 
   

Step 5 Test the banner enforcement.

The following example shows a clientless SSL connection and the banner enforced through the attribute map after the user authenticates (see Figure C-4).

Figure C-4 Banner Displayed

Placing LDAP Users in a Specific Group Policy

The following example shows how to authenticate User1 on the AD LDAP server to a specific group policy on the ASA. On the server, use the Department field of the Organization tab to enter the name of the group policy. Then create an attribute map and map Department to the Cisco attribute IETF-Radius-Class. During authentication, the ASA retrieves the value of Department from the server, maps the value to the IETF-Radius-Class, and places User1 in the group policy.

This example applies to any connection type, including the IPsec VPN client, AnyConnect SSL VPN client, or clientless SSL VPN. In this example, User1 is connecting through a clientless SSL VPN connection.

To configure the attributes for the user on the AD LDAP server, perform the following steps:


Step 1 Right-click the user.

The Properties dialog box appears (see Figure C-5).

Step 2 Click the Organization tab and enter Group-Policy-1 in the Department field.

Figure C-5 AD/LDAP Department Attribute

Step 3 Define an attribute map for the LDAP configuration shown in Step 1.

The following example shows how to map the AD attribute Department to the Cisco attribute IETF-Radius-Class.

hostname(config)# ldap attribute-map group_policy
hostname(config-ldap-attribute-map)# map-name Department IETF-Radius-Class
 
   

Step 4 Associate the LDAP attribute map to the AAA server.

The following example enters the aaa server host configuration mode for the host 10.1.1.2 in the AAA server group MS_LDAP, and associates the attribute map group_policy that you created in Step 3:

hostname(config)# aaa-server MS_LDAP host 10.1.1.2
hostname(config-aaa-server-host)# ldap-attribute-map group_policy
 
   

Step 5 Add the new group-policy on the ASA and configure the required policy attributes that will be assigned to the user. The following example creates Group-policy-1, the name entered in the Department field on the server:

hostname(config)# group-policy Group-policy-1 external server-group LDAP_demo
hostname(config-aaa-server-group)#
 
   

Step 6 Establish the VPN connection as the user would, and verify that the session inherits the attributes from Group-Policy1 (and any other applicable attributes from the default group-policy).

Step 7 Monitor the communication between the ASA and the server by enabling the debug  ldap 255 command from privileged EXEC mode. The following is sample output from this command, which has been edited to provide the key messages:

[29] Authentication successful for user1 to 10.1.1.2
[29] Retrieving user attributes from server 10.1.1.2
[29] Retrieved Attributes:
[29] department: value = Group-Policy-1
[29] mapped to IETF-Radius-Class: value = Group-Policy-1
 
   

Enforcing Static IP Address Assignment for AnyConnect Tunnels

In this example, configure the AnyConnect client user Web1 to receive a static IP address. then enter the address in the Assign Static IP Address field of the Dialin tab on the AD LDAP server. This field uses the msRADIUSFramedIPAddress attribute. Create an attribute map that maps this attribute to the Cisco attribute IETF-Radius-Framed-IP-Address.

During authentication, the ASA retrieves the value of msRADIUSFramedIPAddress from the server, maps the value to the Cisco attribute IETF-Radius-Framed-IP-Address, and provides the static address to User1.

The following example applies to full-tunnel clients, including the IPsec client and the SSL VPN clients (AnyConnect client 2.x and the SSL VPN client).

To configure the user attributes on the AD/LDAP server, perform the following steps:


Step 1 Right-click the username.

The Properties dialog box appears (see Figure C-6).

Step 2 Click the Dialin tab, check the Assign Static IP Address check box, and enter an IP address of 10.1.1.2.

Figure C-6 Assign Static IP Address

Step 3 Create an attribute map for the LDAP configuration shown in Step 1.

The following example shows how to map the AD attribute msRADIUSFramedIPAddress used by the Static Address field to the Cisco attribute IETF-Radius-Framed-IP-Address:

hostname(config)# ldap attribute-map static_address
hostname(config-ldap-attribute-map)# map-name msRADIUSFramedIPAddress 
IETF-Radius-Framed-IP-Address
 
   

Step 4 Associate the LDAP attribute map to the AAA server.

The following example enters the aaa server host configuration mode for the host 10.1.1.2, in the AAA server group MS_LDAP, and associates the attribute map static_address that you created in Step 3:

hostname(config)# aaa-server MS_LDAP host 10.1.1.2
hostname(config-aaa-server-host)# ldap-attribute-map static_address
 
   

Step 5 Verify that the vpn-address-assignment command is configured to specify AAA by viewing this part of the configuration with the show run all vpn-addr-assign command:

hostname(config)# show run all vpn-addr-assign
vpn-addr-assign aaa   << Make sure this is configured >>
no vpn-addr-assign dhcp
vpn-addr-assign local
hostname(config)#
 
   

Step 6 Establish a connection to the ASA with the AnyConnect client. Observe the following:

The banner is received in the same sequence as a clientless connection (see Figure C-7).

The user receives the IP address configured on the server and mapped to the ASA (see Figure C-8).

Figure C-7 Verify the Banner for the AnyConnect Session

Figure C-8 AnyConnect Session Established

Step 7 Use the show vpn-sessiondb svc command to view the session details and verify the address assigned:

hostname# show vpn-sessiondb svc
 
   
Session Type: SVC
Username     : web1                   Index        : 31
Assigned IP  : 10.1.1.2              Public IP    : 10.86.181.70
Protocol     : Clientless SSL-Tunnel DTLS-Tunnel
Encryption   : RC4 AES128             Hashing      : SHA1
Bytes Tx     : 304140                 Bytes Rx     : 470506
Group Policy : VPN_User_Group         Tunnel Group : Group1_TunnelGroup
Login Time   : 11:13:05 UTC Tue Aug 28 2007
Duration     : 0h:01m:48s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none
 
   

Enforcing Dial-in Allow or Deny Access

The following example creates an LDAP attribute map that specifies the tunneling protocols allowed by the user. You map the allow access and deny access settings on the Dialin tab to the Cisco attribute Tunneling-Protocol, which supports the bitmap values shown in Table C-6:

Table C-6 Bitmap Values for Cisco Tunneling-Protocol Attribute 

Value
Tunneling Protocol

1

PPTP

2

L2TP

41

IPsec (IKEv1)

82

L2TP/IPsec

16

Clientless SSL

32

SSL client—AnyConnect or SSL VPN client

64

IPsec (IKEv2)

1 IPsec and L2TP over IPsec are not supported simultaneously. Therefore, the values 4 and 8 are mutually exclusive.

2 See note 1.


Use this attribute to create an Allow Access (TRUE) or a Deny Access (FALSE) condition for the protocols and enforce the method for which the user is allowed access.

For this simplified example, by mapping the tunnel protocol IPsec/IKEv1 (4), you can create an allow (true) condition for the Cisco VPN client. You also map WebVPN (16) and SVC/AC (32), which are mapped as a value of 48 (16+32) and create a deny (false) condition. This allows the user to connect to the ASA using IPsec, but any attempt to connect using clientless SSL or the AnyConnect client is denied.

Another example of enforcing dial-in allow access or deny access is available in the Tech Note ASA/PIX: Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example at the following URL:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

To configure the user attributes on the AD/LDAP server, perform the following steps:


Step 1 Right-click the user.

The Properties dialog box appears.

Step 2 Click the Dial-in tab, then click the Allow Access radio button (Figure C-9).

Figure C-9 AD/LDAP User1 - Allow Access


Note If you select the Control access through the Remote Access Policy option, then a value is not returned from the server, and the permissions that are enforced are based on the internal group policy settings of the ASA.


Step 3 Create an attribute map to allow both an IPsec and AnyConnect connection, but deny a clientless SSL connection.

The following example shows how to create the map tunneling_protocols, and map the AD attribute msNPAllowDialin used by the Allow Access setting to the Cisco attribute Tunneling-Protocols using the map-name command, and add map values with the map-value command:

hostname(config)# ldap attribute-map tunneling_protocols
hostname(config-ldap-attribute-map)# map-name msNPAllowDialin Tunneling-Protocols
hostname(config-ldap-attribute-map)# map-value msNPAllowDialin FALSE 48
hostname(config-ldap-attribute-map)# map-value msNPAllowDialin TRUE 4
 
   

Step 4 Associate the LDAP attribute map to the AAA server.

The following example enters the aaa server host configuration mode for the host 10.1.1.2, in the AAA server group MS_LDAP, and associates the attribute map tunneling_protocols that you created in Step 2:

hostname(config)# aaa-server MS_LDAP host 10.1.1.2
hostname(config-aaa-server-host)# ldap-attribute-map tunneling_protocols
 
   

Step 5 Verify that the attribute map works as configured.

Step 6 Try connections using clientless SSL, the AnyConnect client, and the IPsec client. The clientless and AnyConnect connections should fail, and the user should be informed that an unauthorized connection mechanism was the reason for the failed connection. The IPsec client should connect because IPsec is an allowed tunneling protocol according to the attribute map (see Figure C-10 and Figure C-11).

Figure C-10 Login Denied Message for Clientless User

Figure C-11 Login Denied Message for AnyConnect Client User

Enforcing Logon Hours and Time-of-Day Rules

The following example shows how to configure and enforce the hours that a clientless SSL user (such as a business partner) is allowed to access the network.

On the AD server, use the Office field to enter the name of the partner, which uses the physicalDeliveryOfficeName attribute. Then we create an attribute map on the ASA to map that attribute to the Cisco attribute Access-Hours. During authentication, the ASA retrieves the value of physicalDeliveryOfficeName and maps it to Access-Hours.

To configure the user attributes on the AD /LDAP server, perform the following steps:


Step 1 Select the user, and right-click Properties.

The Properties dialog box appears (see Figure C-12).

Step 2 Click the General tab.

Figure C-12 Active Directory Properties Dialog Box

Step 3 Create an attribute map.

The following example shows how to create the attribute map access_hours and map the AD attribute physicalDeliveryOfficeName used by the Office field to the Cisco attribute Access-Hours.

hostname(config)# ldap attribute-map access_hours
hostname(config-ldap-attribute-map)# map-name physicalDeliveryOfficeName Access-Hours
 
   

Step 4 Associate the LDAP attribute map to the AAA server.

The following example enters the aaa server host configuration mode for the host 10.1.1.2, in the AAA server group MS_LDAP, and associates the attribute map access_hours that you created in Step 3:

hostname(config)# aaa-server MS_LDAP host 10.1.1.2
hostname(config-aaa-server-host)# ldap-attribute-map access_hours
 
   

Step 5 Configure time ranges for each value allowed on the server.

The following example configures Partner access hours from 9am to 5pm Monday through Friday:

hostname(config)# time-range Partner
hostname(config-time-range)# periodic weekdays 09:00 to 17:00
 
   

Configuring an External RADIUS Server

This section presents an overview of the RADIUS configuration procedure and defines the Cisco RADIUS attributes. It includes the following topics:

Reviewing the RADIUS Configuration Procedure

ASA RADIUS Authorization Attributes

ASA IETF RADIUS Authorization Attributes

RADIUS Accounting Disconnect Reason Codes

Reviewing the RADIUS Configuration Procedure

This section describes the RADIUS configuration steps required to support authentication and authorization of ASA users.

To set up the RADIUS server to interoperate with the ASA, preform the following steps:


Step 1 Load the ASA attributes into the RADIUS server. The method you use to load the attributes depends on which type of RADIUS server you are using:

If you are using Cisco ACS: the server already has these attributes integrated. You can skip this step.

For RADIUS servers from other vendors (for example, Microsoft Internet Authentication Service): you must manually define each ASA attribute. To define an attribute, use the attribute name or number, type, value, and vendor code (3076). For a list of ASA RADIUS authorization attributes and values, see Table C-7.

Step 2 Set up the users or groups with the permissions and attributes to send during IPsec or SSL tunnel establishment.


ASA RADIUS Authorization Attributes

Authorization refers to the process of enforcing permissions or attributes. A RADIUS server defined as an authentication server enforces permissions or attributes if they are configured. These attributes have vendor ID 3076.

Table C-7 lists the ASA supported RADIUS attributes that can be used for user authorization.


Note RADIUS attribute names do not contain the cVPN3000 prefix. Cisco Secure ACS 4.x supports this new nomenclature, but attribute names in pre-4.0 ACS releases still include the cVPN3000 prefix. The ASAs enforce the RADIUS attributes based on attribute numeric ID, not attribute name. LDAP attributes are enforced by their name, not by the ID.

All attributes listed in Table C-7 are downstream attributes that are sent from the RADIUS server to the ASA except for the following attribute numbers: 146, 150, 151, and 152. These attribute numbers are upstream attributes that are sent from the ASA to the RADIUS server. RADIUS attributes 146 and 150 are sent from the ASA to the RADIUS server for authentication and authorization requests. All four previously listed attributes are sent from the ASA to the RADIUS server for accounting start, interim-update, and stop requests. Upstream RADIUS attributes 146, 150, 151, and 152 were introduced in ASA Version 8.4.3.


Table C-7 ASA Supported RADIUS Attributes and Values  

Attribute Name
VPN 3000
ASA
PIX
Attr. No.
Syntax/Type
Single or Multi-
Valued
Description or Value

Access-Hours

Y

Y

Y

1

String

Single

Name of the time range, for example, Business-hours

Simultaneous-Logins

Y

Y

Y

2

Integer

Single

0 - 2147483647

Primary-DNS

Y

Y

Y

5

String

Single

An IP address

Secondary-DNS

Y

Y

Y

6

String

Single

An IP address

Primary-WINS

Y

Y

Y

7

String

Single

An IP address

Secondary-WINS

Y

Y

Y

8

String

Single

An IP address

SEP-Card-Assignment

     

9

Integer

Single

Not used

Tunneling-Protocols

Y

Y

Y

11

Integer

Single

1 = PPTP
2 = L2TP
4 = IPSec (IKEv1)
8 = L2TP/IPSec
16 = WebVPN
32 = SVC
64 = IPsec (IKEv2)
8 and 4 are mutually exclusive
(0 - 11, 16 - 27, 32 - 43, 48 - 59 are legal values).

IPsec-Sec-Association

Y

   

12

String

Single

Name of the security association

IPsec-Authentication

Y

   

13

Integer

Single

0 = None
1 = RADIUS
2 = LDAP (authorization only)
3 = NT Domain
4 = SDI
5 = Internal
6 = RADIUS with Expiry
7 = Kerberos/Active Directory

Banner1

Y

Y

Y

15

String

Single

Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL

IPsec-Allow-Passwd-Store

Y

Y

Y

16

Boolean

Single

0 = Disabled
1 = Enabled

Use-Client-Address

Y

   

17

Boolean

Single

0 = Disabled
1 = Enabled

PPTP-Encryption

Y

   

20

Integer

Single

Bitmap:
1 = Encryption required
2 = 40 bits
4 = 128 bits
8 = Stateless-Required
15= 40/128-Encr/Stateless-Req

L2TP-Encryption

Y

   

21

Integer

Single

Bitmap:
1 = Encryption required
2 = 40 bits
4 = 128 bits
8 = Stateless-Req
15= 40/128-Encr/Stateless-Req

Group-Policy

 

Y

Y

25

String

Single

Sets the group policy for the remote access VPN session. For versions 8.2 and later, use this attribute instead of IETF-Radius-Class. You can use one of the three following formats:

group policy name

OU=group policy name

OU=group policy name;

IPsec-Split-Tunnel-List

Y

Y

Y

27

String

Single

Specifies the name of the network/access list that describes the split tunnel inclusion list.

IPsec-Default-Domain

Y

Y

Y

28

String

Single

Specifies the single default domain name to send to the client (1-255 characters).

IPsec-Split-DNS-Names

Y

Y

Y

29

String

Single

Specifies the list of secondary domain names to send to the client (1-255 characters).

IPsec-Tunnel-Type

Y

Y

Y

30

Integer

Single

1 = LAN-to-LAN
2 = Remote access

IPsec-Mode-Config

Y

Y

Y

31

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-User-Group-Lock

Y

   

33

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Over-UDP

Y

Y

Y

34

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Over-UDP-Port

Y

Y

Y

35

Integer

Single

4001 - 49151. The default is10000.

Banner2

Y

Y

Y

36

String

Single

Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL. The Banner2 string is concatenated to the Banner1 string , if configured.

PPTP-MPPC-Compression

Y

   

37

Integer

Single

0 = Disabled
1 = Enabled

L2TP-MPPC-Compression

Y

   

38

Integer

Single

0 = Disabled
1 = Enabled

IPsec-IP-Compression

Y

Y

Y

39

Integer

Single

0 = Disabled
1 = Enabled

IPsec-IKE-Peer-ID-Check

Y

Y

Y

40

Integer

Single

1 = Required
2 = If supported by peer certificate
3 = Do not check

IKE-Keep-Alives

Y

Y

Y

41

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Auth-On-Rekey

Y

Y

Y

42

Boolean

Single

0 = Disabled
1 = Enabled

Required-Client- Firewall-Vendor-Code

Y

Y

Y

45

Integer

Single

1 = Cisco Systems (with Cisco Integrated Client)
2 = Zone Labs
3 = NetworkICE
4 = Sygate
5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent)

Required-Client-Firewall-Product-Code

Y

Y

Y

46

Integer

Single

Cisco Systems Products:

1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC)

Zone Labs Products:
1 = Zone Alarm
2 = Zone AlarmPro
3 = Zone Labs Integrity

NetworkICE Product:
1 = BlackIce Defender/Agent

Sygate Products:
1 = Personal Firewall
2 = Personal Firewall Pro
3 = Security Agent

Required-Client-Firewall-Description

Y

Y

Y

47

String

Single

String

Require-HW-Client-Auth

Y

Y

Y

48

Boolean

Single

0 = Disabled
1 = Enabled

Required-Individual-User-Auth

Y

Y

Y

49

Integer

Single

0 = Disabled
1 = Enabled

Authenticated-User-Idle-Timeout

Y

Y

Y

50

Integer

Single

1-35791394 minutes

Cisco-IP-Phone-Bypass

Y

Y

Y

51

Integer

Single

0 = Disabled
1 = Enabled

IPsec-Split-Tunneling-Policy

Y

Y

Y

55

Integer

Single

0 = No split tunneling
1 = Split tunneling
2 = Local LAN permitted

IPsec-Required-Client-Firewall-Capability

Y

Y

Y

56

Integer

Single

0 = None
1 = Policy defined by remote FW Are-You-There (AYT)
2 = Policy pushed CPP
4 = Policy from server

IPsec-Client-Firewall-Filter-Name

Y

   

57

String

Single

Specifies the name of the filter to be pushed to the client as firewall policy

IPsec-Client-Firewall-Filter-Optional

Y

Y

Y

58

Integer

Single

0 = Required
1 = Optional

IPsec-Backup-Servers

Y

Y

Y

59

String

Single

1 = Use Client-Configured list
2 = Disable and clear client list
3 = Use Backup Server list

IPsec-Backup-Server-List

Y

Y

Y

60

String

Single

Server Addresses (space delimited)

DHCP-Network-Scope

Y

Y

Y

61

String

Single

IP Address

Intercept-DHCP-Configure-Msg

Y

Y

Y

62

Boolean

Single

0 = Disabled
1 = Enabled

MS-Client-Subnet-Mask

Y

Y

Y

63

Boolean

Single

An IP address

Allow-Network-Extension-Mode

Y

Y

Y

64

Boolean

Single

0 = Disabled
1 = Enabled

Authorization-Type

Y

Y

Y

65

Integer

Single

0 = None
1 = RADIUS
2 = LDAP

Authorization-Required

Y

   

66

Integer

Single

0 = No
1 = Yes

Authorization-DN-Field

Y

Y

Y

67

String

Single

Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name

IKE-KeepAlive-Confidence-Interval

Y

Y

Y

68

Integer

Single

10 - 300 seconds

WebVPN-Content-Filter-Parameters

Y

Y

 

69

Integer

Single

1 = Java ActiveX
2 = Java Script
4 = Image
8 = Cookies in images

WebVPN-URL-List

 

Y

 

71

String

Single

URL-List name

WebVPN-Port-Forward-List

 

Y

 

72

String

Single

Port-Forward list name

WebVPN-Access-List

 

Y

 

73

String

Single

Access-List name

Cisco-LEAP-Bypass

Y

Y

Y

75

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Homepage

Y

Y

 

76

String

Single

A URL such as http://example-example.com

Client-Type-Version-Limiting

Y

Y

Y

77

String

Single

IPsec VPN version number string

WebVPN-Port-Forwarding-Name

Y

Y

 

79

String

Single

String name (example, "Corporate-Apps").

This text replaces the default string, "Application Access," on the clientless portal home page.

IE-Proxy-Server

Y

   

80

String

Single

IP address

IE-Proxy-Server-Policy

Y

   

81

Integer

Single

1 = No Modify
2 = No Proxy
3 = Auto detect
4 = Use Concentrator Setting

IE-Proxy-Exception-List

Y

   

82

String

Single

New line (\n) separated list of DNS domains

IE-Proxy-Bypass-Local

Y

   

83

Integer

Single

0 = None
1 = Local

IKE-Keepalive-Retry-Interval

Y

Y

Y

84

Integer

Single

2 - 10 seconds

Tunnel-Group-Lock

 

Y

Y

85

String

Single

Name of the tunnel group or "none"

Access-List-Inbound

 

Y

Y

86

String

Single

Access list ID

Access-List-Outbound

 

Y

Y

87

String

Single

Access list ID

Perfect-Forward-Secrecy-Enable

Y

Y

Y

88

Boolean

Single

0 = No
1 = Yes

NAC-Enable

Y

   

89

Integer

Single

0 = No
1 = Yes

NAC-Status-Query-Timer

Y

   

90

Integer

Single

30 - 1800 seconds

NAC-Revalidation-Timer

Y

   

91

Integer

Single

300 - 86400 seconds

NAC-Default-ACL

Y

   

92

String

 

Access list

WebVPN-URL-Entry-Enable

Y

Y

 

93

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-File-Access-Enable

Y

Y

 

94

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-File-Server-Entry-Enable

Y

Y

 

95

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-File-Server-Browsing-Enable

Y

Y

 

96

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Port-Forwarding-Enable

Y

Y

 

97

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Outlook-Exchange-Proxy-Enable

Y

Y

 

98

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Port-Forwarding-HTTP-Proxy

Y

Y

 

99

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Auto-Applet-Download-Enable

Y

Y

 

100

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Citrix-Metaframe-Enable

Y

Y

 

101

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Apply-ACL

Y

Y

 

102

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-SSL-VPN-Client-Enable

Y

Y

 

103

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-SSL-VPN-Client-Required

Y

Y

 

104

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-SSL-VPN-Client-Keep- Installation

Y

Y

 

105

Integer

Single

0 = Disabled
1 = Enabled

SVC-Keepalive

Y

Y

 

107

Integer

Single

0 = Off
15 - 600 seconds

SVC-DPD-Interval-Client

Y

Y

 

108

Integer

Single

0 = Off
5 - 3600 seconds

SVC-DPD-Interval-Gateway

Y

Y

 

109

Integer

Single

0 = Off)
5 - 3600 seconds

SVC-Rekey-Time

 

Y

 

110

Integer

Single

0 = Disabled
1- 10080 minutes

WebVPN-Deny-Message

 

Y

 

116

String

Single

Valid string (up to 500 characters)

Extended-Authentication-On-Rekey

 

Y

Y

122

Integer

Single

0 = Disabled
1 = Enabled

SVC-DTLS

 

Y

 

123

Integer

Single

0 = False
1 = True

SVC-MTU

 

Y

 

125

Integer

Single

MTU value
256 - 1406 in bytes

SVC-Modules

 

Y

 

127

String

Single

String (name of a module)

SVC-Profiles

 

Y

 

128

String

Single

String (name of a profile)

SVC-Ask

 

Y

 

131

String

Single

0 = Disabled
1 = Enabled
3 = Enable default service
5 = Enable default clientless
(2 and 4 not used)

SVC-Ask-Timeout

 

Y

 

132

Integer

Single

5 - 120 seconds

IE-Proxy-PAC-URL

 

Y

 

133

String

Single

PAC Address String

Strip-Realm

Y

Y

Y

135

Boolean

Single

0 = Disabled
1 = Enabled

Smart-Tunnel

 

Y

 

136

String

Single

Name of a Smart Tunnel

WebVPN-ActiveX-Relay

 

Y

 

137

Integer

Single

0 = Disabled
Otherwise = Enabled

Smart-Tunnel-Auto

 

Y

 

138

Integer

Single

0 = Disabled
1 = Enabled
2 = AutoStart

Smart-Tunnel-Auto-Signon-Enable

 

Y

 

139

String

Single

Name of a Smart Tunnel Auto Signon list appended by the domain name

VLAN

 

Y

 

140

Integer

Single

0 - 4094

NAC-Settings

 

Y

 

141

String

Single

Name of the NAC policy

Member-Of

 

Y

Y

145

String

Single

Comma-delimited string, for example:

Engineering, Sales
 
        

An administrative attribute that can be used in dynamic access policies. It does not set a group policy.

Tunnel Group Name

 

Y

Y

146

String

Single

1 - 253 characters

Client Type

 

Y

Y

150

Integer

Single

1 = Cisco VPN Client (IKEv1)
2 = AnyConnect Client SSL VPN
3 = Clientless SSL VPN
4 = Cut-Through-Proxy
5 = L2TP/IPsec SSL VPN
6 = AnyConnect Client IPsec VPN (IKEv2)

Session Type

 

Y

Y

151

Integer

Single

0 = None
1 = AnyConnect Client SSL VPN
2 = AnyConnect Client IPSec VPN (IKEv2)
3 = Clientless SSL VPN
4 = Clientless Email Proxy
5 = Cisco VPN Client (IKEv1)
6 = IKEv1 LAN-LAN
7 = IKEv2 LAN-LAN
8 = VPN Load Balancing

Session Subtype

 

Y

Y

152

Integer

Single

0 = None
1 = Clientless
2 = Client
3 = Client Only

Session Subtype applies only when the Session Type (151) attribute has the following values: 1, 2, 3, and 4.

Address-Pools

 

Y

Y

217

String

Single

Name of IP local pool

IPv6-Address-Pools

 

Y

 

218

String

Single

Name of IP local pool-IPv6

IPv6-VPN-Filter

 

Y

 

219

String

Single

ACL value

Privilege-Level

 

Y

Y

220

Integer

Single

An integer between 0 and 15.

WebVPN-Macro-Value1

 

Y

 

223

String

Single

Unbounded. For examples, see the SSL VPN Deployment Guide at the following URL:

http://supportwiki.cisco.com/ViewWiki/index.php/Cisco_ASA_5500_SSL_VPN_Deployment_Guide%2C_Version_8.x

WebVPN-Macro-Value2

 

Y

 

224

String

Single

Unbounded. For examples, see the SSL VPN Deployment Guide at the following URL:

http://supportwiki.cisco.com/ViewWiki/index.php/Cisco_ASA_5500_SSL_VPN_Deployment_Guide%2C_Version_8.x


ASA IETF RADIUS Authorization Attributes

Table C-8 ASA Supported IETF RADIUS Attributes and Values

Attribute Name
VPN 3000
ASA
PIX
Attr. No.
Syntax/Type
Single or Multi-
Valued
Description or Value

IETF-Radius-Class

Y

Y

Y

25

 

Single

For Versions 8.2.x and later, we recommend that you use the Group-Policy attribute (VSA 3076, #25) as described in Table C-7:

group policy name

OU=group policy name

OU=group policy name

IETF-Radius-Filter-Id

Y

Y

Y

11

String

Single

Access list name that is defined on the ASA, which applies only to full tunnel IPsec and SSL VPN clients

IETF-Radius-Framed-IP-Address

Y

Y

Y

n/a

String

Single

An IP address

IETF-Radius-Framed-IP-Netmask

Y

Y

Y

n/a

String

Single

An IP address mask

IETF-Radius-Idle-Timeout

Y

Y

Y

28

Integer

Single

Seconds

IETF-Radius-Service-Type

Y

Y

Y

6

Integer

Single

Seconds. Possible Service Type values:
.Administrative—User is allowed access to configure prompt.

.NAS-Prompt—User is allowed access to exec prompt.

.remote-access—User is allowed network access

IETF-Radius-Session-Timeout

Y

Y

Y

27

Integer

Single

Seconds


Table C-8 lists the supported IETF RADIUS attributes.

RADIUS Accounting Disconnect Reason Codes

These codes are returned if the ASA encounters a disconnect when sending packets:

Disconnect Reason Code

ACCT_DISC_USER_REQ = 1

ACCT_DISC_LOST_CARRIER = 2

ACCT_DISC_LOST_SERVICE = 3

ACCT_DISC_IDLE_TIMEOUT = 4

ACCT_DISC_SESS_TIMEOUT = 5

ACCT_DISC_ADMIN_RESET = 6

ACCT_DISC_ADMIN_REBOOT = 7

ACCT_DISC_PORT_ERROR = 8

ACCT_DISC_NAS_ERROR = 9

ACCT_DISC_NAS_REQUEST = 10

ACCT_DISC_NAS_REBOOT = 11

ACCT_DISC_PORT_UNNEEDED = 12

ACCT_DISC_PORT_PREEMPTED = 13

ACCT_DISC_PORT_SUSPENDED = 14

ACCT_DISC_SERV_UNAVAIL = 15

ACCT_DISC_CALLBACK = 16

ACCT_DISC_USER_ERROR = 17

ACCT_DISC_HOST_REQUEST = 18

ACCT_DISC_ADMIN_SHUTDOWN = 19

ACCT_DISC_SA_EXPIRED = 21

ACCT_DISC_MAX_REASONS = 22


Configuring an External TACACS+ Server

The ASA provides support for TACACS+ attributes. TACACS+ separates the functions of authentication, authorization, and accounting. The protocol supports two types of attributes: mandatory and optional. Both the server and client must understand a mandatory attribute, and the mandatory attribute must be applied to the user. An optional attribute may or may not be understood or used.


Note To use TACACS+ attributes, make sure that you have enabled AAA services on the NAS.


Table C-9 lists supported TACACS+ authorization response attributes for cut-through-proxy connections. Table C-10 lists supported TACACS+ accounting attributes.

Table C-9 Supported TACACS+ Authorization Response Attributes

Attribute
Description

acl

Identifies a locally configured access list to be applied to the connection.

idletime

Indicates the amount of inactivity in minutes that is allowed before the authenticated user session is terminated.

timeout

Specifies the absolute amount of time in minutes that authentication credentials remain active before the authenticated user session is terminated.


.

Table C-10 Supported TACACS+ Accounting Attributes 

Attribute
Description

bytes_in

Specifies the number of input bytes transferred during this connection (stop records only).

bytes_out

Specifies the number of output bytes transferred during this connection (stop records only).

cmd

Defines the command executed (command accounting only).

disc-cause

Indicates the numeric code that identifies the reason for disconnecting (stop records only).

elapsed_time

Defines the elapsed time in seconds for the connection (stop records only).

foreign_ip

Specifies the IP address of the client for tunnel connections. Defines the address on the lowest security interface for cut-through-proxy connections.

local_ip

Specifies the IP address that the client connected to for tunnel connections. Defines the address on the highest security interface for cut-through-proxy connections.

NAS port

Contains a session ID for the connection.

packs_in

Specifies the number of input packets transferred during this connection.

packs_out

Specifies the number of output packets transferred during this connection.

priv-level

Set to the user privilege level for command accounting requests or to 1 otherwise.

rem_iddr

Indicates the IP address of the client.

service

Specifies the service used. Always set to "shell" for command accounting only.

task_id

Specifies a unique task ID for the accounting transaction.

username

Indicates the name of the user.