19-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 19 Applying AAA for Network Access
Configuring Authorization for Network Access
hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
Configuring RADIUS Authorization
When authentication succeeds, the RADIUS protocol returns user authorizations in the access-accept
message sent by a RADIUS server. For more information about configuring authentication, see the
“Configuring Authentication for Network Access” section on page 19-1.
When you configure the security appliance to authenticate users for network access, you are also
implicitly enabling RADIUS authorizations; therefore, this section contains no information about
configuring RADIUS authorization on the security appliance. It does provide information about how the
security appliance handles access list information received from RADIUS servers.
You can configure a RADIUS server to download an access list to the security appliance or an access list
name at the time of authentication. The user is authorized to do only what is permitted in the
user-specific access list.
Note If you have used the access-group command to apply access lists to interfaces, be aware of the following
effects of the per-user-override keyword on authorization by user-specific access lists:
• Without the per-user-override keyword, traffic for a user session must be permitted by both the
interface access list and the user-specific access list.
• With the per-user-override keyword, the user-specific access list determines what is permitted.
For more information, see the access-group command entry in the Cisco Security Appliance Command
Reference.
This section includes the following topics:
• Configuring a RADIUS Server to Send Downloadable Access Control Lists, page 19-7
• Configuring a RADIUS Server to Download Per-User Access Control List Names, page 19-11
Configuring a RADIUS Server to Send Downloadable Access Control Lists
This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes
the following topics:
• About the Downloadable Access List Feature and Cisco Secure ACS, page 19-8
• Configuring Cisco Secure ACS for Downloadable Access Lists, page 19-9
• Configuring Any RADIUS Server for Downloadable Access Lists, page 19-10
• Converting Wildcard Netmask Expressions in Downloadable Access Lists, page 19-11
To Next Page
Loading...
Need help?
General