Cisco ASDM User Guide, 6.1
Configuring an External Server for Authorization and Authentication
Download this chapter
Configuring an External Server for Authorization and AuthenticationConfiguring an External Server for Authorization and Authentication
Download the complete book
Full-Book PDF: Cisco ASDM User Guide, 6.1Full-Book PDF: Cisco ASDM User Guide, 6.1 (PDF - 14 MB)
give_us_feedback

Table Of Contents

Configuring an External Server for Authorization and Authentication

Understanding Policy Enforcement of Permissions and Attributes

Configuring an External LDAP Server

Organizing the Security Appliance for LDAP Operations

Searching the Hierarchy

Binding the Security Appliance to the LDAP Server

Login DN Example for Active Directory

Defining the Security Appliance LDAP Configuration

Supported Cisco Attributes for LDAP Authorization

Cisco-AV-Pair Attribute Syntax

Additional Information for using ASDM to Configure LDAP

Configuring an External RADIUS Server

Reviewing the RADIUS Configuration Procedure

Security Appliance RADIUS Authorization Attributes

Configuring an External TACACS+ Server


Configuring an External Server for Authorization and Authentication

This appendix describes how to configure an external LDAP, RADIUS, or TACACS+ server to support AAA on the security appliance. Before you configure the security appliance to use an external server, you must configure the server with the correct security appliance authorization attributes and, from a subset of these attributes, assign specific permissions to individual users.

This appendix includes the following sections:

Understanding Policy Enforcement of Permissions and Attributes

Configuring an External LDAP Server

Configuring an External RADIUS Server

Configuring an External TACACS+ Server

Understanding Policy Enforcement of Permissions and Attributes

The security appliance supports several methods of applying user authorization attributes (also called user entitlements or permissions) to VPN connections. You can configure the security appliance to obtain user attributes from a Dynamic Access Policy (DAP) on the security appliance, from an external authentication and/or authorization AAA server (RADIUS or LDAP), from a group policy on the security appliance, or from all three.

If the security appliance receives attributes from all sources, the attributes are evaluated, merged, and applied to the user policy. If there are conflicts between attributes coming from the DAP, the AAA server, or the group policy, those attributes obtained from the DAP always take precedence.

The security appliance applies attributes in the following order (also illustrated in Figure C-1:

1. DAP attributes on the security appliance—Introduced in Version 8.0, take precedence over all others. If you set a bookmark/URL list in DAP, it overrides a bookmark/URL list set in the group policy.

2. User attributes on the AAA server—The server returns these after successful user authentication and/or authorization. Do not confuse these with attributes that are set for individual users in the local AAA database on the security appliance (User Accounts in ASDM).

3. Group policy configured on the security appliance—If a RADIUS server returns the value of the RADIUS CLASS attribute IETF-Class-25 (OU=<group-policy>) for the user, the security appliance places the user in the group policy of the same name and enforces any attributes in the group policy that are not returned by the server. For LDAP servers, any attribute name can be used to set the group policy for the session. The LDAP attribute map you configure on the security appliance maps the LDAP attribute to the Cisco attribute IETF-Radius-Class.

4. Group policy assigned by the Connection Profile (called tunnel-group in CLI)—The Connection Profile has the preliminary settings for the connection, and includes a default group policy applied to the user before authentication. All users connecting to the security appliance initially belong to this group which provides any attributes that are missing from the DAP, user attributes returned by the server, or the group policy assigned to the user.

5. Default group policy assigned by the security appliance (DfltGrpPolicy)—System default attributes provide any values that are missing from the DAP, user attributes, group policy, or connection profile.

Figure C-1 Policy Enforcement Flow

Configuring an External LDAP Server

The VPN 3000 Concentrator and the ASA/PIX 7.0 required a Cisco LDAP schema for authorization operations. Beginning with Version 7.1.x, the security appliance performs authentication and authorization, using the native LDAP schema, and the Cisco schema is no longer needed.

You configure authorization (permission policy) using an LDAP attribute map.

This section describes the structure, schema, and attributes of an LDAP server. It includes the following topics:

Organizing the Security Appliance for LDAP Operations

Defining the Security Appliance LDAP Configuration

Additional Information for using ASDM to Configure LDAP

The specific steps of these processes vary, depending on which type of LDAP server you are using.

Note For more information on the LDAP protocol, see RFCs 1777, 2251, and 2849.

Organizing the Security Appliance for LDAP Operations

This section describes how to perform searches within the LDAP hierarchy and authenticated binding to the LDAP server on the security appliance. It includes the following topics:

Searching the Hierarchy

Binding the Security Appliance to the LDAP Server

Login DN Example for Active Directory

Your LDAP configuration should reflect the logical hierarchy of your organization. For example, suppose an employee at your company, Example Corporation, is named Terry. Terry works in the Engineering group. Your LDAP hierarchy could have one or many levels. You might decide to set up a shallow, single-level hierarchy in which Terry is considered a member of Example Corporation. Or, you could set up a multi-level hierarchy in which Terry is considered to be a member of the department Engineering, which is a member of an organizational unit called People, which is itself a member of Example Corporation. See Figure C-2 for an example of this multi-level hierarchy.

A multi-level hierarchy has more granularity, but a single level hierarchy is quicker to search.

Figure C-2 A Multi-Level LDAP Hierarchy

Searching the Hierarchy

The security appliance lets you tailor the search within the LDAP hierarchy. You configure the following three fields on the security appliance to define where in the LDAP hierarchy your search begins, the extent, and the type of information it is looking for. Together these fields allow you to limit the search of the hierarchy to only the part of the tree that contains the user permissions.

LDAP Base DN defines where in the LDAP hierarchy the server should begin searching for user information when it receives an authorization request from the security appliance.

Search Scope defines the extent of the search in the LDAP hierarchy. The search proceeds this many levels in the hierarchy below the LDAP Base DN. You can choose to have the server search only the level immediately below, or it can search the entire subtree. A single level search is quicker, but a subtree search is more extensive.

Naming Attribute(s) defines the RDN that uniquely identifies an entry in the LDAP server. Common naming attributes can include cn (Common Name), sAMAccountName, and userPrincipalName.

Figure C-2 shows a possible LDAP hierarchy for Example Corporation. Given this hierarchy, you could define your search in different ways. Table C-1 shows two possible search configurations.

In the first example configuration, when Terry establishes the IPSec tunnel with LDAP authorization required, the security appliance sends a search request to the LDAP server indicating it should search for Terry in the Engineering group. This search is quick.

In the second example configuration, the security appliance sends a search request indicating the server should search for Terry within Example Corporation. This search takes longer.

Table C-1 Example Search Configurations

#
LDAP Base DN
Search Scope
Naming Attribute
Result

1

group= Engineering,ou=People,dc=ExampleCorporation, dc=com

One Level

cn=Terry

Quicker search

2

dc=ExampleCorporation,dc=com

Subtree

cn=Terry

Longer search


Binding the Security Appliance to the LDAP Server

Some LDAP servers (including the Microsoft Active Directory server) require the security appliance to establish a handshake via authenticated binding before they accept requests for any other LDAP operations. The security appliance identifies itself for authenticated binding by attaching a Login DN field to the user authentication request. The Login DN field defines the authentication characteristics of the security appliance; these characteristics should correspond to those of a user with administrative privileges. An example Login DN field could be: cn=Administrator, cn=users, ou=people, dc=example, dc=com.

Note As an LDAP client, the security appliance does not support sending anonymous binds or requests.

Login DN Example for Active Directory

The Login DN is a username on the LDAP server that the security appliance uses to establish a trust between itself (the LDAP client) and the LDAP server during the Bind exchange, before a user search can take place.

For VPN authentication/authorization operations, and beginning with version 8.0.4 for retrieval of AD Groups, (which are read operations only when password-management changes are not required), the you can use the Login DN with fewer privileges. For example, the Login DN can be a user who is a memberOf the Domain Users group.

For VPN password-management changes, the Login DN must have Account Operators privileges.

In either of these cases, Super-user level privileges are not required for the Login/Bind DN. Refer to your LDAP Administrator guide for specific Login DN requirements.

Defining the Security Appliance LDAP Configuration

This section describes how to define the LDAP AV-pair attribute syntax. It includes the following topics:

Supported Cisco Attributes for LDAP Authorization

Cisco-AV-Pair Attribute Syntax

Note The security appliance enforces the LDAP attributes based on attribute name, not numeric ID. RADIUS attributes, on the other hand, are enforced by numeric ID, not by name.

Authorization refers to the process of enforcing permissions or attributes. An LDAP server defined as an authentication or authorization server will enforce permissions or attributes if they are configured.

For software Version 7.0, LDAP attributes include the cVPN3000 prefix. For Version 7.1 and later, this prefix was removed.

Supported Cisco Attributes for LDAP Authorization

This section provides a complete list of attributes (Table C-2) for the ASA 5500, VPN 3000, and PIX 500 series security appliances. The table includes attribute support information for the VPN 3000 and PIX 500 series to assist you configure networks with a mixture of these security appliances.

Table C-2 Security Appliance Supported Cisco Attributes for LDAP Authorization 

Attribute Name/
VPN 3000
ASA
PIX
Syntax/
Type
Single or Multi-Valued
Possible Values

Access-Hours

Y

Y

Y

String

Single

Name of the time-range
(for example, Business-Hours)

Allow-Network-Extension- Mode

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

Authenticated-User-Idle- Timeout

Y

Y

Y

Integer

Single

1 - 35791394 minutes

Authorization-Required

Y

   

Integer

Single

0 = No
1 = Yes

Authorization-Type

Y

   

Integer

Single

0 = None
1 = RADIUS
2 = LDAP

Auth-Service-Type

           

Banner1

Y

Y

Y

String

Single

Banner string

Banner2

Y

Y

Y

String

Single

Banner string

Cisco-AV-Pair

Y

Y

Y

String

Multi

An octet string in the following format:

[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port]

For more information, see "Cisco-AV-Pair Attribute Syntax."

Cisco-IP-Phone-Bypass

Y

Y

Y

Integer

Single

0 = Disabled
1 = Enabled

Cisco-LEAP-Bypass

Y

Y

Y

Integer

Single

0 = Disabled
1 = Enabled

Client-Intercept-DHCP- Configure-Msg

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

Client-Type-Version-Limiting

Y

Y

Y

String

Single

IPSec VPN client version number string

Confidence-Interval

Y

Y

Y

Integer

Single

10 - 300 seconds

DHCP-Network-Scope

Y

Y

Y

String

Single

IP address

DN-Field

Y

Y

Y

String

Single

Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name.

Firewall-ACL-In

 

Y

Y

String

Single

Access list ID

Firewall-ACL-Out

 

Y

Y

String

Single

Access list ID

IE-Proxy-Bypass-Local

     

Boolean

Single

0=Disabled
1=Enabled

IE-Proxy-Exception-List

     

String

Single

A list of DNS domains. Entries must be separated by the new line character sequence (\n).

IE-Proxy-Method

Y

Y

Y

Integer

Single

1 = Do not modify proxy settings
2 = Do not use proxy
3 = Auto detect
4 = Use security appliance setting

IE-Proxy-Server

Y

Y

Y

Integer

Single

IP Address

IETF-Radius-Class

Y

Y

Y

 

Single

Sets the group policy for the remote access VPN session

IETF-Radius-Filter-Id

Y

Y

Y

String

Single

access list name that is defined on the security appliance

IETF-Radius-Framed-IP-Address

Y

Y

Y

String

Single

An IP address

IETF-Radius-Framed-IP-Netmask

Y

Y

Y

String

Single

An IP address mask

IETF-Radius-Idle-Timeout

Y

Y

Y

Integer

Single

minutes

IETF-Radius-Service-Type

Y

Y

Y

Integer

Single

 

IETF-Radius-Session-Timeout

Y

Y

Y

Integer

Single

 

IKE-Keep-Alives

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

IPSec-Allow-Passwd-Store

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

IPSec-Authentication

Y

Y

Y

Integer

Single

0 = None
1 = RADIUS
2 = LDAP (authorization only)
3 = NT Domain
4 = SDI (RSA)
5 = Internal
6 = RADIUS with Expiry
7 = Kerberos/Active Directory

IPSec-Auth-On-Rekey

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

IPSec-Backup-Server-List

Y

Y

Y

String

Single

Server Addresses (space delimited)

IPSec-Backup-Servers

Y

Y

Y

String

Single

1 = Use Client-Configured list
2 = Disabled and clear client list
3 = Use Backup Server list

IPSec-Client-Firewall-Filter- Name

Y

   

String

Single

Specifies the name of the filter to be pushed to the client as firewall policy.

IPSec-Client-Firewall-Filter- Optional

Y

Y

Y

Integer

Single

0 = Required
1 = Optional

IPSec-Default-Domain

Y

Y

Y

String

Single

Specifies the single default domain name to send to the client (1 - 255 characters).

IPSec-IKE-Peer-ID-Check

Y

Y

Y

Integer

Single

1 = Required
2 = If supported by peer certificate
3 = Do not check

IPSec-IP-Compression

Y

Y

Y

Integer

Single

0 = Disabled
1 = Enabled

IPSec-Mode-Config

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

IPSec-Over-UDP

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

IPSec-Over-UDP-Port

Y

Y

Y

Integer

Single

4001 - 49151; default = 10000

IPSec-Required-Client-Firewall-
Capability

Y

Y

Y

Integer

Single

0 = None
1 = Policy defined by remote FW Are-You-There (AYT)
2 = Policy pushed CPP
4 = Policy from server

IPSec-Sec-Association

Y

   

String

Single

Name of the security association

IPSec-Split-DNS-Names

Y

Y

Y

String

Single

Specifies the list of secondary domain names to send to the client (1 - 255 characters).

IPSec-Split-Tunneling-Policy

Y

Y

Y

Integer

Single

0 = Tunnel everything
1 = Split tunneling
2 = Local LAN permitted

IPSec-Split-Tunnel-List

Y

Y

Y

String

Single

Specifies the name of the network or access list that describes the split tunnel inclusion list.

IPSec-Tunnel-Type

Y

Y

Y

Integer

Single

1 = LAN-to-LAN
2 = Remote access

IPSec-User-Group-Lock

Y

   

Boolean

Single

0 = Disabled
1 = Enabled

L2TP-Encryption

Y

   

Integer

Single

Bitmap:

1 = Encryption required
2 = 40 bit
4 = 128 bits
8 = Stateless-Req
15 = 40/128-Encr/Stateless-Req

L2TP-MPPC-Compression

Y

   

Integer

Single

0 = Disabled
1 = Enabled

MS-Client-Subnet-Mask

Y

Y

Y

String

Single

An IP address

PFS-Required

Y

Y

Y

Boolean

Single

0 = No
1 = Yes

Port-Forwarding-Name

Y

Y

 

String

Single

Name string (for example, "Corporate-Apps")

PPTP-Encryption

Y

   

Integer

Single

Bitmap:

1 = Encryption required
2 = 40 bits
4 = 128 bits
8 = Stateless-Required

Example:
15 = 40/128-Encr/Stateless-Req

PPTP-MPPC-Compression

Y

   

Integer

Single

0 = Disabled
1 = Enabled

Primary-DNS

Y

Y

Y

String

Single

An IP address

Primary-WINS

Y

Y

Y

String

Single

An IP address

Privilege-Level

           

Required-Client- Firewall-Vendor-Code

Y

Y

Y

Integer

Single

1 = Cisco Systems (with Cisco Integrated Client)
2 = Zone Labs
3 = NetworkICE
4 = Sygate
5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent)

Required-Client-Firewall- Description

Y

Y

Y

String

Single

String

Required-Client-Firewall- Product-Code

Y

Y

Y

Integer

Single

Cisco Systems Products:

1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC)

Zone Labs Products:

1 = Zone Alarm
2 = Zone AlarmPro
3 = Zone Labs Integrity

NetworkICE Product:

1 = BlackIce Defender/Agent

Sygate Products:

1 = Personal Firewall
2 = Personal Firewall Pro
3 = Security Agent

Require-HW-Client-Auth

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

Require-Individual-User-Auth

Y

Y

Y

Integer

Single

0 = Disabled
1 = Enabled

Secondary-DNS

Y

Y

Y

String

Single

An IP address

Secondary-WINS

Y

Y

Y

String

Single

An IP address

SEP-Card-Assignment

     

Integer

Single

Not used

Simultaneous-Logins

Y

Y

Y

Integer

Single

0-2147483647

Strip-Realm

Y

Y

Y

Boolean

Single

0 = Disabled
1 = Enabled

TACACS-Authtype

Y

Y

Y

Interger

Single

 

TACACS-Privilege-Level

Y

Y

Y

Interger

Single

 

Tunnel-Group-Lock

 

Y

Y

String

Single

Name of the tunnel group or "none"

Tunneling-Protocols

Y

Y

Y

Integer

Single

1 = PPTP
2 = L2TP
4 = IPSec
8 = L2TP/IPSec
16 = WebVPN.
8 and 4 are mutually exclusive
(0 - 11, 16 - 27 are legal values)

Use-Client-Address

Y

   

Boolean

Single

0 = Disabled
1 = Enabled

User-Auth-Server-Name

Y

   

String

Single

IP address or hostname

User-Auth-Server-Port

Y

   

Integer

Single

Port number for server protocol

User-Auth-Server-Secret

Y

   

String

Single

Server password

WebVPN-ACL-Filters

 

Y

 

String

Single

Access-List name

WebVPN-Apply-ACL-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Citrix-Support-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Content-Filter- Parameters

Y

Y

 

Integer

Single

1 = Java & ActiveX
2 = Java scripts
4 = Images
8 = Cookies in images

Add the values to filter multiple parameters. For example: enter 10 to filter both Java scripts and cookies. (10 = 2 + 8)

WebVPN-Enable-functions

     

Integer

Single

Not used - deprecated

WebVPN-Exchange-Server- Address

     

String

Single

Not used - deprecated

WebVPN-Exchange-Server- NETBIOS-Name

     

String

Single

Not used - deprecated

WebVPN-File-Access-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-File-Server-Browsing-
Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-File-Server-Entry- Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Forwarded-Ports

 

Y

 

String

Single

Port-Forward list name

WebVPN-Homepage

Y

Y

 

String

Single

A URL such as http://example-portal.com.

WebVPN-Macro-Substitution-
Value1

Y

Y

 

String

Single

 

WebVPN-Macro-Substitution-
Value2

Y

Y

 

String

Single

 

WebVPN-Port-Forwarding- Auto-Download-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Port-Forwarding- Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Port-Forwarding- Exchange-Proxy-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Port-Forwarding- HTTP-Proxy-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Single-Sign-On- Server-Name

 

Y

 

String

Single

Name of the SSO Server (1 - 31 characters).

WebVPN-SVC-Client-DPD

Y

Y

 

Integer

Single

0 = Disabled
n = Dead Peer Detection value in seconds (30 - 3600)

WebVPN-SVC-Compression

Y

Y

 

Integer

Single

0 = None
1 = Deflate Compression

WebVPN-SVC-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-SVC-Gateway-DPD

Y

Y

 

Integer

Single

0 = Disabled
n = Dead Peer Detection value in seconds (30 - 3600)

WebVPN-SVC-Keepalive

Y

Y

 

Integer

Single

0 = Disabled
n = Keepalive value in seconds (15 - 600)

WebVPN-SVC-Keep-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-SVC-Rekey-Method

Y

Y

 

Integer

Single

0 = None
1 = SSL
2 = New tunnel
3 = Any (sets to SSL)

WebVPN-SVC-Rekey-Period

Y

Y

 

Integer

Single

0 = Disabled
n = Retry period in minutes
(4 - 10080)

WebVPN-SVC-Required-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-URL-Entry-Enable

Y

Y

 

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-URL-List

 

Y

 

String

Single

URL-list name


Cisco-AV-Pair Attribute Syntax

The syntax of each Cisco-AV-Pair rule is as follows:

[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port]

Table C-3 describes the syntax rules.

Table C-3 AV-Pair Attribute Syntax Rules

Field
Description

Prefix

A unique identifier for the AV pair. For example: ip:inacl#1= (for standard access lists) or webvpn:inacl# (for clientless SSL VPN access lists). This field only appears when the filter has been sent as an AV pair.

Action

Action to perform if rule matches: deny, permit.

Protocol

Number or name of an IP protocol. Either an integer in the range 0 - 255 or one of the following keywords: icmp, igmp, ip, tcp, udp.

Source

Network or host that sends the packet. Specify it as an IP address, a hostname, or the keyword "any." If using an IP address, the source wildcard mask must follow.

Source Wildcard Mask

The wildcard mask that applies to the source address.

Destination

Network or host that receives the packet. Specify as an IP address, a hostname, or the keyword "any." If using an IP address, the source wildcard mask must follow.

Destination Wildcard Mask

The wildcard mask that applies to the destination address.

Log

Generates a FILTER log message. You must use this keyword to generate events of severity level 9.

Operator

Logic operators: greater than, less than, equal to, not equal to.

Port

The number of a TCP or UDP port in the range 0 - 65535.


For example: 

ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log 

ip:inacl#2=permit TCP any host 10.160.0.1 eq 80 log 


webvpn:inacl#1=permit url http://www.website.com

webvpn:inacl#2=deny smtp any host 10.1.3.5

webvpn:inacl#3=permit url cifs://mar_server/peopleshare1

Note Use Cisco-AV pair entries with the ip:inacl# prefix to enforce access lists for remote IPSec and SSL VPN Client (SVC) tunnels.

Use Cisco-AV pair entries with the webvpn:inacl# prefix to enforce access lists for SSL VPN clientless (browser-mode) tunnels.

Table C-4 lists the tokens for the Cisco-AV-pair attribute:

Table C-4 Security Appliance-Supported Tokens

Token
Syntax Field
Description

ip:inacl#Num=

N/A (Identifier)

(Where Num is a unique integer.) Starts all AV pair access control lists. Enforces access lists for remote IPSec and SSL VPN (SVC) tunnels.

webvpn:inacl#Num=

N/A (Identifier)

(Where Num is a unique integer.) Starts all clientless SSL AV pair access control lists. Enforces access lists for clientless (browser-mode) tunnels.

deny

Action

Denies action. (Default)

permit

Action

Allows action.

icmp

Protocol

Internet Control Message Protocol (ICMP)

1

Protocol

Internet Control Message Protocol (ICMP)

IP

Protocol

Internet Protocol (IP)

0

Protocol

Internet Protocol (IP)

TCP

Protocol

Transmission Control Protocol (TCP)

6

Protocol

Transmission Control Protocol (TCP)

UDP

Protocol

User Datagram Protocol (UDP)

17

Protocol

User Datagram Protocol (UDP)

any

Hostname

Rule applies to any host.

host

Hostname

Any alpha-numeric string that denotes a hostname.

log

Log

When the event is hit, a filter log message appears. (Same as permit and log or deny and log.)

lt

Operator

Less than value

gt

Operator

Greater than value

eq

Operator

Equal to value

neq

Operator

Not equal to value

range

Operator

Inclusive range. Should be followed by two values.


Additional Information for using ASDM to Configure LDAP

Additional information on using ASDM to configure LDAP is available on Cisco.com in the documentation area for the security appliance at:

http://www.cisco.com/en/US/products/ps6121/
products_installation_and_configuration_guides_list.html

The category Selected ASDM Configuration Topics for ASA includes the following example procedures for configuring authentication and authorization on the security appliance using the Microsoft Active Directory server:

User-Based Attributes Policy Enforcement

Placing LDAP users in a specific Group-Policy

Enforcing Static IP Address Assignment for AnyConnect Tunnels

Enforcing Dial-in Allow or Deny Access

Enforcing Logon Hours and Time-of-Day Rules

Other configuration examples available on Cisco.com include the following TechNotes:

ASA/PIX: Mapping VPN Clients to VPN Group Policies Through LDAP Configuration Example at:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml

PIX/ASA 8.0: Use LDAP Authentication to Assign a Group Policy at Login at:

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

Configuring an External RADIUS Server

This section presents an overview of the RADIUS configuration procedure and defines the Cisco RADIUS attributes. It includes the following topics:

Reviewing the RADIUS Configuration Procedure

Security Appliance RADIUS Authorization Attributes

Reviewing the RADIUS Configuration Procedure

This section describes the RADIUS configuration steps required to support authentication and authorization of the security appliance users. Follow these steps to set up the RADIUS server to inter operate with the security appliance.

Step 1 Load the security appliance attributes into the RADIUS server. The method you use to load the attributes depends on which type of RADIUS server you are using:

If you are using Cisco ACS: the server already has these attributes integrated. You can skip this step.

If you are using a FUNK RADIUS server: Cisco supplies a dictionary file that contains all the security appliance attributes. Obtain this dictionary file, cisco3k.dct, from Software Center on CCO or from the security appliance CD-ROM. Load the dictionary file on your server.

For other vendors' RADIUS servers (for example, Microsoft Internet Authentication Service): you must manually define each security appliance attribute. To define an attribute, use the attribute name or number, type, value, and vendor code (3076). For a list of security appliance RADIUS authorization attributes and values, see Table C-5.

Step 2 Set up the users or groups with the permissions and attributes to send during IPSec or SSL tunnel establishment.

Security Appliance RADIUS Authorization Attributes

Authorization refers to the process of enforcing permissions or attributes. A RADIUS server defined as an authentication server enforces permissions or attributes if they are configured.

Table C-5 lists all the possible security appliance supported RADIUS attributes that can be used for user authorization.

Note RADIUS attribute names do not contain the cVPN3000 prefix. Cisco Secure ACS 4.x supports this new nomenclature, but attribute names in pre-4.0 ACS releases still include the cVPN3000 prefix. The appliances enforce the RADIUS attributes based on attribute numeric ID, not attribute name. LDAP attributes are enforced by their name, not by the ID.

Table C-5 Security Appliance Supported RADIUS Attributes and Values  

Attribute Name
VPN 3000
ASA
PIX
Attr. #
Syntax/Type
Single or Multi-
Valued
Description or Value

Access-Hours

Y

Y

Y

1

String

Single

Name of the time range, for example, Business-hours

Simultaneous-Logins

Y

Y

Y

2

Integer

Single

An integer 0 to 2147483647

Primary-DNS

Y

Y

Y

5

String

Single

An IP address

Secondary-DNS

Y

Y

Y

6

String

Single

An IP address

Primary-WINS

Y

Y

Y

7

String

Single

An IP address

Secondary-WINS

Y

Y

Y

8

String

Single

An IP address

SEP-Card-Assignment

     

9

Integer

Single

Not used

Tunneling-Protocols

Y

Y

Y

11

Integer

Single

1 = PPTP

2 = L2TP

4 = IPSec

8 = L2TP/IPSec

16 = WebVPN

4 and 8 are mutually exclusive; 0-11 and 16-27 are legal values.

IPSec-Sec-Association

Y

   

12

String

Single

Name of the security association

IPSec-Authentication

Y

   

13

Integer

Single

0 = None

1 = RADIUS

2 = LDAP (authorization only)

3 = NT Domain

4 = SDI

5 = Internal

6 = RADIUS with Expiry

7 = Kerberos/Active Directory

Banner1

Y

Y

Y

15

String

Single

Banner string

IPSec-Allow-Passwd-Store

Y

Y

Y

16

Boolean

Single

0 = Disabled

1 = Enabled

Use-Client-Address

Y

   

17

Boolean

Single

0 = Disabled

1 = Enabled

PPTP-Encryption

Y

   

20

Integer

Single

Bitmap:

1 = Encryption required

2 = 40 bits

4 = 128 bits

8 = Stateless-Required

15 = 40/128-Encr/Stateless-Req

L2TP-Encryption

Y

   

21

Integer

Single

Bitmap:

1 = Encryption required

2 = 40 bit

4 = 128 bits

8 = Stateless-Req

15 = 40/128-Encr/Stateless-Req

IPSec-Split-Tunnel-List

Y

Y

Y

27

String

Single

Specifies the name of the network/access list that describes the split tunnel inclusion list

IPSec-Default-Domain

Y

Y

Y

28

String

Single

Specifies the single default domain name to send to the client (1-255 characters)

IPSec-Split-DNS-Names

Y

Y

Y

29

String

Single

Specifies the list of secondary domain names to send to the client (1-255 characters)

IPSec-Tunnel-Type

Y

Y

Y

30

Integer

Single

1 = LAN-to-LAN

2 = Remote access

IPSec-Mode-Config

Y

Y

Y

31

Boolean

Single

0 = Disabled

1 = Enabled

IPSec-User-Group-Lock

Y

   

33

Boolean

Single

0 = Disabled

1 = Enabled

IPSec-Over-UDP

Y

Y

Y

34

Boolean

Single

0 = Disabled

1 = Enabled

IPSec-Over-UDP-Port

Y

Y

Y

35

Integer

Single

4001 - 49151, default = 10000

Banner2

Y

Y

Y

36

String

Single

A banner string that is concatenated to the Banner1 string, if configured.

PPTP-MPPC-Compression

Y

   

37

Integer

Single

0 = Disabled

1 = Enabled

L2TP-MPPC-Compression

Y

   

38

Integer

Single

0 = Disabled

1 = Enabled

IPSec-IP-Compression

Y

Y

Y

39

Integer

Single

0 = Disabled

1 = Enabled

IPSec-IKE-Peer-ID-Check

Y

Y

Y

40

Integer

Single

1 = Required

2 = If supported by peer certificate

3 = Do not check

IKE-Keep-Alives

Y

Y

Y

41

Boolean

Single

0 = Disabled

1 = Enabled

IPSec-Auth-On-Rekey

Y

Y

Y

42

Boolean

Single

0 = Disabled

1 = Enabled

Required-Client- Firewall-Vendor-Code

Y

Y

Y

45

Integer

Single

1 = Cisco Systems (with Cisco Integrated Client)

2 = Zone Labs

3 = NetworkICE

4 = Sygate

5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent)

Required-Client-Firewall-Product-Code

Y

Y

Y

46

Integer

Single

Cisco Systems Products:

1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC)

Zone Labs Products:

1 = Zone Alarm

2 = Zone AlarmPro

3 = Zone Labs Integrity

NetworkICE Product:

1 = BlackIce Defender/Agent

Sygate Products:

1 = Personal Firewall

2 = Personal Firewall Pro

3 = Security Agent

Required-Client-Firewall-Description

Y

Y

Y

47

String

Single

String

Require-HW-Client-Auth

Y

Y

Y

48

Boolean

Single

0 = Disabled

1 = Enabled

Required-Individual-User-Auth

Y

Y

Y

49

Integer

Single

0 = Disabled

1 = Enabled

Authenticated-User-Idle-Timeout

Y

Y

Y

50

Integer

Single

1-35791394 minutes

Cisco-IP-Phone-Bypass

Y

Y

Y

51

Integer

Single

0 = Disabled

1 = Enabled

IPSec-Split-Tunneling-Policy

Y

Y

Y

55

Integer

Single

0 = No split tunneling

1 = Split tunneling

2 = Local LAN permitted

IPSec-Required-Client-Firewall-Capability

Y

Y

Y

56

Integer

Single

0 = None

1 = Policy defined by remote FW Are-You-There (AYT)

2 = Policy pushed CPP

4 = Policy from server

IPSec-Client-Firewall-Filter-Name

Y

   

57

String

Single

Specifies the name of the filter to be pushed to the client as firewall policy

IPSec-Client-Firewall-Filter-Optional

Y

Y

Y

58

Integer

Single

0 = Required

1 = Optional

IPSec-Backup-Servers

Y

Y

Y

59

String

Single

1 = Use Client-Configured list

2 = Disable and clear client list

3 = Use Backup Server list

IPSec-Backup-Server-List

Y

Y

Y

60

String

Single

Server Addresses (space delimited)

DHCP-Network-Scope

Y

Y

Y

61

String

Single

IP Address

Intercept-DHCP-Configure-Msg

Y

Y

Y

62

Boolean

Single

0 = Disabled

1 = Enabled

MS-Client-Subnet-Mask

Y

Y

Y

63

Boolean

Single

An IP address

Allow-Network-Extension-Mode

Y

Y

Y

64

Boolean

Single

0 = Disabled

1 = Enabled

Authorization-Type

Y

Y

Y

65

Integer

Single

0 = None

1 = RADIUS

2 = LDAP

Authorization-Required

Y

   

66

Integer

Single

0 = No

1 = Yes

Authorization-DN-Field

Y

Y

Y

67

String

Single

Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name

IKE-KeepAlive-Confidence-Interval

Y

Y

Y

68

Integer

Single

10-300 seconds

WebVPN-Content-Filter-Parameters

Y

Y

 

69

Integer

Single

1 = Java ActiveX

2 = Java Script

4 = Image

8 = Cookies in images

WebVPN-URL-List

 

Y

 

71

String

Single

URL-List name

WebVPN-Port-Forward-List

 

Y

 

72

String

Single

Port-Forward list name

WebVPN-Access-List

 

Y

 

73

String

Single

Access-List name

Cisco-LEAP-Bypass

Y

Y

Y

75

Integer

Single

0 = Disabled

1 = Enabled

WebVPN-Homepage

Y

Y

 

76

String

Single

A URL such as http://example-portal.com

Client-Type-Version-Limiting

Y

Y

Y

77

String

Single

IPSec VPN version number string

WebVPN-Port-Forwarding-Name

Y

Y

 

79

String

Single

String name (example, "Corporate-Apps").

This text replaces the default string, "Application Access," on the clientless portal home page.

IE-Proxy-Server

Y

   

80

String

Single

IP address

IE-Proxy-Server-Policy

Y

   

81

Integer

Single

1 = No Modify

2 = No Proxy

3 = Auto detect

4 = Use Concentrator Setting

IE-Proxy-Exception-List

Y

   

82

String

Single

newline (\n) separated list of DNS domains

IE-Proxy-Bypass-Local

Y

   

83

Integer

Single

0 = None

1 = Local

IKE-Keepalive-Retry-Interval

Y

Y

Y

84

Integer

Single

2 - 10 seconds

Tunnel-Group-Lock

 

Y

Y

85

String

Single

Name of the tunnel group or "none"

Access-List-Inbound

 

Y

Y

86

String

Single

Access list ID

Access-List-Outbound

 

Y

Y

87

String

Single

Access list ID

Perfect-Forward-Secrecy-Enable

Y

Y

Y

88

Boolean

Single

0 = No

1 = Yes

NAC-Enable

Y

   

89

Integer

Single

0 = No

1 = Yes

NAC-Status-Query-Timer

Y

   

90

Integer

Single

30 - 1800 seconds

NAC-Revalidation-Timer

Y

   

91

Integer

Single

300 - 86400 seconds

NAC-Default-ACL

Y

   

92

String

 

Access list

WebVPN-URL-Entry-Enable

Y

Y

 

93

Integer

Single

0 = Disabled

1 = Enabled

WebVPN-File-Access-Enable

Y

Y

 

94

Integer

Single

0 = Disabled

1 = Enabled

WebVPN-File-Server-Entry-Enable

Y

Y

 

95

Integer

Single

0 = Disabled

1 = Enabled

WebVPN-File-Server-Browsing-Enable

Y

Y

 

96

Integer

Single

0 = Disabled

1 = Enabled

WebVPN-Port-Forwarding-Enable

Y

Y

 

97

Integer

Single

0 = Disabled

1 = Enabled

WebVPN-Outlook-Exchange-Proxy-Enable

Y

Y

 

98

Integer

Single

0 = Disabled

1 = Enabled

WebVPN-Port-Forwarding-HTTP-Proxy

Y

Y

 

99

Integer

Single

0 = Disabled

1 = Enabled

WebVPN-Auto-Applet-Download-Enable

Y

Y

 

100

Integer

Single

0 = Disabled

1 = Enabled

WebVPN-Citrix-Metaframe-Enable

Y

Y

 

101

Integer

Single

0 = Disabled

1 = Enabled

WebVPN-Apply-ACL

Y

Y

 

102

Integer

Single

0 = Disabled

1 = Enabled

WebVPN-SSL-VPN-Client-Enable

Y

Y

 

103

Integer

Single

0 = Disabled

1 = Enabled

WebVPN-SSL-VPN-Client-Required

Y

Y

 

104

Integer

Single

0 = Disabled

1 = Enabled

WebVPN-SSL-VPN-Client-Keep- Installation

Y

Y

 

105

Integer

Single

0 = Disabled

1 = Enabled

SVC-Keepalive

Y

Y

 

107

Integer

Single

0 = Off

15 - 600 seconds

SVC-DPD-Interval-Client

Y

Y

 

108

Integer

Single

0 = Off

5 - 3600 seconds

SVC-DPD-Interval-Gateway

Y

Y

 

109

Integer

Single

0 = Off)

5 - 3600 seconds

SVC-Rekey-Time

 

Y

 

110

Integer

Single

0 = Disabled

1- 10080 minutes

WebVPN-Deny-Message

 

Y

 

116

String

Single

Valid string(up to 500 characters)

SVC-DTLS

 

Y

 

123

Integer

Single

0 = False

1 = True

SVC-MTU

 

Y

 

125

Integer

Single

MTU value

256 - 1406 in bytes

SVC-Modules

 

Y

 

127

String

Single

String (name of a module)

SVC-Profiles

 

Y

 

128

String

Single

String (name of a profile)

SVC-Ask

 

Y

 

131

String

Single

0 = Disabled

1 = Enabled

3 = Enable default service

5 = Enable default clientless

(2 and 4 not used)

SVC-Ask-Timeout

 

Y

 

132

Integer

Single

5 - 120 seconds

IE-Proxy-PAC-URL

 

Y

 

133

String

Single

PAC Address String

Strip-Realm

Y

Y

Y

135

Boolean

Single

0 = Disabled

1 = Enabled

Smart-Tunnel

 

Y

 

136

String

Single

Name of a Smart Tunnel

WebVPN-ActiveX-Relay

 

Y

 

137

Integer

Single

0 = Disabled

Otherwise = Enabled

Smart-Tunnel-Auto

 

Y

 

138

Integer

Single

0 = Disabled

1 = Enabled

2 = AutoStart

VLAN

 

Y

 

140

Integer

Single

0 - 4094

NAC-Settings

 

Y

 

141

String

Single

Name of NAC policy

Member-Of

 

Y

Y

145

String

Single

Comma delimited string, for example:

Engineering, Sales

Address-Pools

 

Y

Y

217

String

Single

Name of IP local pool

IPv6-Address-Pools

 

Y

 

218

String

Single

Name of IP local pool-IPv6

IPv6-VPN-Filter

 

Y

 

219

String

Single

ACL value

Privilege-Level

 

Y

Y

220

Integer

Single

An integer between 0 and 15.

WebVPN-Macro-Value1

 

Y

 

223

String

Single

Unbounded

WebVPN-Macro-Value2

 

Y

 

224

String

Single

Unbounded


Configuring an External TACACS+ Server

The security appliance provides support for TACACS+ attributes. TACACS+ separates the functions of authentication, authorization, and accounting. The protocol supports two types of attributes: mandatory and optional. Both the server and client must understand a mandatory attribute, and the mandatory attribute must be applied to the user. An optional attribute may or may not be understood or used.

Note To use TACACS+ attributes, make sure you have enabled AAA services on the NAS.

Table C-6 lists supported TACACS+ authorization response attributes for cut-through-proxy connections. Table C-7 lists supported TACACS+ accounting attributes.

Table C-6 Supported TACACS+ Authorization Response Attributes

Attribute
Description

acl

Identifies a locally configured access list to be applied to the connection.

idletime

Indicates the amount of inactivity in minutes that is allowed before the authenticated user session is terminated.

timeout

Specifies the absolute amount of time in minutes that authentication credentials remain active before the authenticated user session is terminated.


.

Table C-7 Supported TACACS+ Accounting Attributes 

Attribute
Description

bytes_in

Specifies the number of input bytes transferred during this connection (stop records only).

bytes_out

Specifies the number of output bytes transferred during this connection (stop records only).

cmd

Defines the command executed (command accounting only).

disc-cause

Indicates the numeric code that identifies the reason for disconnecting (stop records only).

elapsed_time

Defines the elapsed time in seconds for the connection (stop records only).

foreign_ip

Specifies the IP address of the client for tunnel connections. Defines the address on the lowest security interface for cut-through-proxy connections.

local_ip

Specifies the IP address that the client connected to for tunnel connections. Defines the address on the highest security interface for cut-through-proxy connections.

NAS port

Contains a session ID for the connection.

packs_in

Specifies the number of input packets transferred during this connection.

packs_out

Specifies the number of output packets transferred during this connection.

priv-level

Set to the user's privilege level for command accounting requests or to 1 otherwise.

rem_iddr

Indicates the IP address of the client.

service

Specifies the service used. Always set to "shell" for command accounting only.

task_id

Specifies a unique task ID for the accounting transaction.

username

Indicates the name of the user.