Cisco Systems CL-28826-01 Preparing for AAA

47-2

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 47 Configuring Device Administration Policies on Firewall Devices

About AAA on Security Devices

•Authorization—Authorization controls user capabilities after users are authenticated.

Authorization controls the services and commands available to each authenticated user. If you do

not enable authorization, authentication alone would provide the same access to services for all

authenticated users.

If you need the control that authorization provides, you can configure a broad authentication rule,

and then have a detailed authorization configuration. For example, you might authenticate inside

users who attempt to access any server on the outside network, and then use authorization to limit

the outside servers that a particular user can access.

The security appliance caches the first 16 authorization requests per user, so if the user accesses the

same services during the current authentication session, the security appliance does not resend the

request to the authorization server.

•Accounting—Accounting tracks traffic that passes through the security appliance, providing a

record of user activity. If you enable authentication for that traffic, you can account for traffic per

user. If you do not authenticate the traffic, you can account for traffic per IP address. Accounting

information includes when sessions start and stop, user name, the number of bytes that pass through

the security appliance for the session, the service used, and the duration of each session.

Preparing for AAA

AAA services depend upon the use of the Local database or at least one AAA server. You can also use

the Local database as a fallback for most services provided by an AAA server. Before you implement

AAA, you should configure the Local database and configure AAA server groups and servers.

Configuration of the Local database and AAA servers depends upon the AAA services you want the

security appliance to support. Regardless of whether you use AAA servers, you should configure the

Local database with user accounts that support administrative access, to prevent accidental lock-outs

and, if so desired, to provide a fallback method when AAA servers are unreachable. For more

information, see Configuring User Accounts, page 50-6.

The following table provides a summary of AAA service support by each AAA server type and by the

Local database. You manage the Local database by configuring user accounts on the Platform > Device

Admin > User Accounts page (see Configuring User Accounts, page 50-6). You establish AAA server

groups and add individual AAA servers to the server groups using the Platform > Device Admin > AAA

page.

Table47-1 Summary of AAA Support

AAA

Service

Database Type

Local RADIUS TACACS+ SDI NT Kerberos LDAP

HTTP

Form

Authentication of...

VPN

users

Yes Ye s Yes Ye s Yes Ye s Yes Ye s1

Firewall

sessions

YesYesYesNoNoNoNoNo

Administ

rators

YesYesYesNoNoNoNoNo

Authorization of...