38-11
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter38 Configuring AAA Rules for Network Access
Configuring Authorization for Network Access
Configuring Authorization for Network Access
After a user authenticates for a given connection, the ASA can use authorization to further control traffic
from the user.
This section includes the following topics:
Configuring TACACS+ Authorization, page38-11
Configuring RADIUS Authorization, page38-14

Configuring TACACS+ Authorization

You can configure the ASA to perform network access authorization with TACACS+. You identify the
traffic to be authorized by specifying access lists that authorization rules must match. Alternatively, you
can identify the traffic directly in authorization rules themselves.
Tip Using access lists to identify traffic to be authorized can greatly reduced the number of authorization
commands that you must enter. This is because each authorization rule that you enter can specify only
one source and destination subnet and service, whereas an access list can include many entries.
Authentication and authorization statements are independent; however, any unauthenticated traffic
matched by an authorization rule will be denied. For authorization to succeed:
1. A user must first authenticate with the ASA.
Because a user at a given IP address only needs to authenticate one time for all rules and types, if
the authentication session has not expired, authorization can occur even if the traffic is not matched
by an authentication rule.
2. After a user authenticates, the ASA checks the authorization rules for matching traffic.
3. If the traffic matches the authorization rule, the ASA sends the username to the TACACS+ server.
4. The TACACS+ server responds to the ASA with a permit or a deny for that traffic, based on the user
profile.
5. The ASA enforces the authorization rule in the response.
See the documentation for your TACACS+ server for information about configuring network access
authorizations for a user.
To configure TACACS+ authorization, perform the following steps: