12-2
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 12 Configuring AAA
AAA Overview
• About Authorization, page 12-2
• About Accounting, page 12-3
• AAA Server and Local Database Support, page 12-4
AAA Performance
The FWSM uses “cut-through proxy” to significantly speed up performance compared to a traditional
proxy server. The performance of a traditional proxy server suffers because it analyzes every packet at
the application layer of the Open System Interconnection (OSI) model. The FWSM cut-through proxy
challenges a user initially at the application layer and then authenticates against standard Remote
Authentication Dial-In User Service
(RADIUS), Terminal Access Controller Access Control System
Plus (TACACS+), or a local database. After the FWSM checks the policy, the FWSM shifts the session
flow, and all traffic flows directly and quickly between the two parties while maintaining session state
information.
About Authentication
Authentication lets you control access by requiring a valid username and password. You can configure
the FWSM to authenticate the following items:
• All administrative connections to the FWSM including the following sessions:
–
Telnet
–
SSH
–
PDM (using HTTPS)
–
VPN management access (see the “Configuring VPN Client Access” section on page 11-7 for
more information about using AAA with VPN)
• The enable command
• Network access through the FWSM
A user at a given IP address only needs to authenticate one time for all rules and types, until the
authentication session expires. (See the timeout uauth command in the Catalyst 6500 Series Switch and
Cisco 7600 Series Router Firewall Services Module Command Reference for timeout values.) For
example, if you configure the FWSM to authenticate Telnet and FTP, and a user first successfully
authenticates for Telnet, then as long as the session exists, the user does not also have to authenticate for
FTP. See the “FWSM/contexta(config)# aaa accounting match SERVER_AUTH inside AuthOutbound”
section on page 12-27 for more information about authentication sessions.
About Authorization
Authorization lets you control access per user after you authenticate with a valid username and
password. You can configure the FWSM to authorize the following items:
• Management commands
• Network access through the FWSM
Authorization lets you control which services and commands are available to an individual user.
Authentication alone provides the same access to services for all authenticated users.
To Next Page
Loading...
Need help?
General