47-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter47 Configuring Device Administration Policies on Firewall Devices
About AAA on Security Devices
1 HTTP Form protocol supports single sign-on authentication for WebVPN users only.
2 For firewall sessions, RADIUS authorization is supported with user-specific ACLs only, which are
received or specified in a RADIUS authentication response.
3 Local command authorization is supported by privilege level only.
Local Database
The security appliance maintains a Local database that you can populate with user accounts, which
contain, at a minimum, a user name. Typically, you assign a password and a privilege level to each user
name, although passwords are optional. You can manage Local user accounts on the Platform > Device
Admin > User Accounts page (see Configuring User Accounts, page 50-6).
If you enable command authorization using the Local database, the security appliance refers to the
assigned user privilege level to determine what commands are available. By default, all commands are
assigned either privilege level 0 or level 15.
Note If you add users to the Local database with access to the CLI and whom you do not want to enter
privileged mode, you should enable command authorization. Without command authorization, users can
access privileged mode (and all commands) at the CLI using their own password if their privilege level
is 2 or greater (2 is the default). Alternatively, you can use RADIUS or TACACS+ authentication for
console access so the user will not be able to use the login command, or you can set all local users to
level 1 so you can control who can use the system enable password to access privileged mode.
You cannot use the local database for network access authorization.
The user accounts in the Local database can provide fallback support for console and enable-password
authentication, for command authorization, and for VPN authentication and authorization. This behavior
is designed to help you prevent accidental lock-out from the security appliance.
VPN
users
Yes Yes No No No No Yes No
Firewall
sessions
No Yes2YesNoNoNoNoNo
Administ
rators
Yes 3NoYesNoNoNoNoNo
Accounting of...
VPN
connectio
ns
No Yes Yes No No No No No
Firewall
sessions
No Yes Yes No No No No No
Administ
rators
No Yes Yes No No No No No
Table47-1 Summary of AAA Support (Continued)
AAA
Service
Database Type
Local RADIUS TACACS+ SDI NT Kerberos LDAP
HTTP
Form