15-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 15 Managing Firewall AAA Rules
Understanding How Users Authenticate
is high security, where you want to carefully control access. AAA rules are also useful for circumstances
where you need to maintain per-user accounting records for billing, security, or resource allocation
purposes.
The AAA rules policy actually configures three separate types of rule, and the configuration of these
rules differs significantly between IOS devices on the one hand and ASA, PIX, and FWSM devices on
the other hand. For IOS devices, these policies define what is called authentication proxy admission
control. When creating shared AAA rules, create separate rules for these types of devices. Following are
the types of rules you can configure with AAA rules:
Authentication rules—Authentication rules control basic user access. If you configure an
authentication rule, users must log in if their connection request goes through the device on which
the rule is defined. You can force users to log in for HTTP, HTTPS, FTP, or Telnet connections. For
ASA, PIX, and FWSM devices, you can control other types of services, but users must first
authenticate using one of the supported protocols before other types of traffic are allowed.
The device recognizes these traffic types only on the default ports: FTP (21), Telnet (23), HTTP
(80), HTTPS (443). If you map these types of traffic to other ports, the user will not be prompted,
and access will fail.
Authorization rules—You can define an additional level of control over and above authentication.
Authentication simply requires that users identify themselves. After authentication is successful, an
authorization rule can query the AAA server to determine if the user has sufficient privileges to
complete the attempted connection. If authorization fails, the connection is dropped.
For ASA, PIX, and FWSM devices, you define authorization rules directly in the AAA rules
policy; if you require authorization for traffic that does not also require authentication, the
unauthenticated traffic is always dropped. If you use RADIUS servers for authentication,
authorization is automatically performed and authorization rules are not necessary. If you
configure authorization rules, you must use a TACACS+ server.
For IOS devices, to configure authorization, you must configure an authorization server group
in the Firewall > Settings > AAA policy; authorization is done for any traffic that is subject to
authentication. You can use TACACS+ or RADIUS servers.
Accounting—You can define accounting rules even if you do not configure authentication or
authorization. If you do configure authentication, accounting records are created for each user, so
that you can identify the specific user who made the connection. Without user authentication,
accounting records are based on IP address. You can use TACACS+ or RADIUS servers for
accounting.
For ASA, PIX, and FWSM devices, you define accounting rules directly in the AAA rules
policy. You can perform accounting for any TCP or UDP protocol.
For IOS devices, to configure accounting, you must configure an accounting server group in the
Firewall > Settings > AAA policy; accounting is done for any traffic that is subject to
authentication.
Understanding How Users Authenticate
When you create AAA rules to require that users authenticate when trying to make connections through
a device, users will be prompted to supply credentials: a username and password. These credentials must
be defined in a AAA server or in the local database configured on the device.