47-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 47 Configuring Device Administration Policies on Firewall Devices
About AAA on Security Devices
Authorization Tab
The Authorization tab allows you to configure authorization for accessing firewall commands.
Navigation Path
You can access the Authorization tab from the AAA page; see Configuring AAA - Authentication Tab,
page 47-5.
Require AAA Authorization for the following types of connections
Select the connections that require authorization. For each type, users are allowed up to three attempts
to access the firewall console. If this number is exceeded, an “access denied” message is displayed.
Select each connection option individually:
HTTP – Require AAA authentication when a user initiates an HTTPS connection to the firewall
console.
Serial – Require AAA authentication when a user initiates a connection to the firewall console via
the serial console cable.
SSH – Require AAA authentication when a user initiates a Secure Shell (SSH) connection to the
console.
Tel ne t – Require AAA authentication when a user initiates a Telnet connection to the firewall
console.
For each selected connection, provide a Server Group and indicate whether the LOCAL database is
used as a back-up:
Server Group – Enter or Select the name of an AAA server to contact for user authentication.
Use LOCAL when server group fails – Check this box to use the LOCAL database as back-up if
the selected server fails. (This option is not enabled until you provide a Server Group.)
Authentication Prompts
Login Prompt Enter the prompt a user will see when logging in to the security
appliance.
Accepted Message Enter the message displayed when successfully authenticated.
Rejected Message Enter the message displayed when authentication fails for any reason.
Rejected Message for Invalid
Credentials
Enter the message displayed when authentication fails following entry
of unknown or invalid credentials.
Available only on FWSM 3.2+ devices.
Rejected Message for
Expired Password
Enter the message displayed when authentication fails following entry
of an expired password.
Available only on FWSM 3.2+ devices.
Maximum Local
Authentication Failed
Attempts
Specify the number of times the device will try to authenticate a user in
the LOCAL database before that account is locked; valid values are 1
through 16.
Available only on ASA/PIX 7.01+ and FWSM 3.11+ devices.
Table47-2 Authentication Tab (Continued)
Element Description