47-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 47 Configuring Device Administration Policies on Firewall Devices
About AAA on Security Devices
Authorization—Authorization controls user capabilities after users are authenticated.
Authorization controls the services and commands available to each authenticated user. If you do
not enable authorization, authentication alone would provide the same access to services for all
authenticated users.
If you need the control that authorization provides, you can configure a broad authentication rule,
and then have a detailed authorization configuration. For example, you might authenticate inside
users who attempt to access any server on the outside network, and then use authorization to limit
the outside servers that a particular user can access.
The security appliance caches the first 16 authorization requests per user, so if the user accesses the
same services during the current authentication session, the security appliance does not resend the
request to the authorization server.
Accounting—Accounting tracks traffic that passes through the security appliance, providing a
record of user activity. If you enable authentication for that traffic, you can account for traffic per
user. If you do not authenticate the traffic, you can account for traffic per IP address. Accounting
information includes when sessions start and stop, user name, the number of bytes that pass through
the security appliance for the session, the service used, and the duration of each session.
Preparing for AAA
AAA services depend upon the use of the Local database or at least one AAA server. You can also use
the Local database as a fallback for most services provided by an AAA server. Before you implement
AAA, you should configure the Local database and configure AAA server groups and servers.
Configuration of the Local database and AAA servers depends upon the AAA services you want the
security appliance to support. Regardless of whether you use AAA servers, you should configure the
Local database with user accounts that support administrative access, to prevent accidental lock-outs
and, if so desired, to provide a fallback method when AAA servers are unreachable. For more
information, see Configuring User Accounts, page 50-6.
The following table provides a summary of AAA service support by each AAA server type and by the
Local database. You manage the Local database by configuring user accounts on the Platform > Device
Admin > User Accounts page (see Configuring User Accounts, page 50-6). You establish AAA server
groups and add individual AAA servers to the server groups using the Platform > Device Admin > AAA
page.
Table47-1 Summary of AAA Support
AAA
Service
Database Type
Local RADIUS TACACS+ SDI NT Kerberos LDAP
HTTP
Form
Authentication of...
VPN
users
Yes Ye s Yes Ye s Yes Ye s Yes Ye s1
Firewall
sessions
YesYesYesNoNoNoNoNo
Administ
rators
YesYesYesNoNoNoNoNo
Authorization of...