12-24
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 12 Configuring AAA
Configuring Authorization for Network Access
This section includes the following topics:
• Configuring TACACS+ Authorization, page 12-24
• Configuring RADIUS Authorization, page 12-25
Configuring TACACS+ Authorization
The FWSM lets you configure network access authorization using TACACS+. You can identify the
traffic that needs to be authorized in the authorization rule, or by matching an ACL name. Authorization
rules can include only one source and destination subnet and service, while an ACL can include many
entries.
For all traffic that you want to authorize, a user must first authenticate with the FWSM for that traffic.
You can choose to authenticate, but not authorize, some traffic; be sure that the authorization rules are
equal to or a subset of the authentication rules. See the “Configuring Authentication for Network
Access” section on page 12-20 to configure authentication.
After a user authenticates, the FWSM checks the authorization rules for matching traffic. If the traffic
matches the authorization statement, the FWSM sends the username to the TACACS+ server. The
TACACS+ server responds to the FWSM with a permit or a deny for that traffic, based on the user’s
profile. See the TACACS+ server documentation for information about configuring network access
restrictions for a user.
To configure authorization, enter the following command:
FWSM/contexta(config)# aaa authorization match
acl_name
interface_name server_group
Identify the source addresses and destination addresses using an extended ACL. Create the ACL using
the access-list command (see the “Adding an Extended Access Control List” section on page 10-13).
The permit access control entries (ACEs) mark matching traffic for authorization, while deny entries
exclude matching traffic from authorization.
Note You can alternatively use the aaa authorization include command (which identifies traffic within the
command). However, you cannot use both methods in the same configuration. See the Catalyst 6500
Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more
information.
The following commands authenticate and authorize inside Telnet traffic. Telnet traffic to servers other
than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization:
FWSM/contexta(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
FWSM/contexta(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5
eq telnet
FWSM/contexta(config)# aaa-server AuthOutbound protocol tacacs+
FWSM/contexta(config)# aaa-server AuthOutbound (inside) host 10.1.1.1 TheUauthKey
FWSM/contexta(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
FWSM/contexta(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
To Next Page
Loading...
Need help?
General