47-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 47 Configuring Device Administration Policies on Firewall Devices
About AAA on Security Devices
For users who need fallback support, we recommend that their user names and passwords in the Local
database match their user names and passwords on the AAA servers. Thi s provides transparent fallback
support. Because the user cannot determine whether a AAA server or the local database is providing the
service, using user names and passwords on AAA servers that are different than the user names and
passwords in the Local database means that the user cannot be certain which user name and password
should be given.
For multiple-context mode, you can configure user names in the system execution space to provide
individual logins at the CLI using the login command; however, you cannot configure any aaa
commands that use the local database in the system execution space.
Note VPN functions are not supported in multiple mode.
AAA for Device Administration
You can authenticate all administrative connections to the security appliance, including:
Teln et
SSH
Serial console
ASDM
VPN management access
You can also authenticate administrators who attempt to enter enable mode. You can authorize
administrative commands. You can have accounting data for administrative sessions and for commands
issued during a session sent to an accounting server.
You can configure AAA for device administration using the Platform > Device Admin > AAA page
(see About AAA on Security Devices, page 47-1).
AAA for Network Access
You can configure rules for authenticating, authorizing, and accounting for traffic passing through the
firewall by using the Firewall > AAA Rules page (see Chapter15, “M anaging Firewall AAA Rules”).
The rules you create are similar to access rules, except that they specify whether to authenticate,
authorize, or perform accounting for the traffic defined; and which AAA server group the security
appliance is to use to process the AAA service request.
AAA for VPN Access
AAA services for VPN access include the following:
User account settings for assigning users to VPN groups, configured on the Platform > Device
Admin > User Accounts page (see Configuring User Accounts, page 50-6).
VPN group policies that can be referenced by many user accounts or tunnel groups, configured on
the Remote Access VPN > RA VPN Policies > User Group Policy or Site to Site VPN > User
Group Policy page.
Tunnel group policies, configured on the Remote Access VPN > RA VPN Policies > PIX7.0/ASA
Tunnel Group Policy or Site to Site VPN > PIX7.0/ASA Tunnel Group Policy page.