15-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter15 Managing Firewall AAA Rules
Configuring AAA Rules for IOS Devices
If you want to exempt some devices from your AAA rules based on their media access control
(MAC) address, click the MAC Exempt List tab to open the AAA Firewall Page, MAC-Exempt List
Tab, page 15-23. Enter a name for the exemption list, and then click the Add Row button and fill in
the Firewall AAA MAC Exempt Setting Dialog Box, page 15-24 to add the MAC address to the table
with a permit rule. You might want to do this for secure, trusted devices.
The order of entries matters, so ensure that any specific entries that are covered by broader entries
come before the broad entries in the table. The device processes the list in order and the first matc h
is applied to the host. For more detailed information about how the entries on the MAC exempt list
are processed, see AAA Firewall Page, MAC-Exempt List Tab, page 15-23.
Step 6 If you are configuring authentication rules using a RADIUS server, and you include per-user ACL
configurations in the user profiles, enable per-user downloadable ACLs on the interface. (RADIUS
authentication automatically includes authorization checking.) For information on configuring per-user
ACLs, see the information on configuring RADIUS authorization in the Cisco ASA 5500 Series
Configuration Guide Using the CLI at
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html.
a. Select Firewall > Settings > Access Control (in Device or Policy view) to open the Access Control
Settings Page, page 16-21.
b. Click the Add Row button beneath the interface table and fill in the Firewall ACL Setting Dialog
Box, page 16-23 with at least these options:
Enter the interface or interface role on which you are performing authorization.
Select Per User Downloadable ACLs.
c. Click OK to save your changes.
Configuring AAA Rules for IOS Devices
When you configure AAA rules for an IOS device, you are configuring authentication proxy
(AuthProxy) admission control policies. These policies define who is allowed to make HTTP, HTTPS,
FTP, and Telnet connections through (not to) the device. To fully configure authentication proxy, you
must configure several policies, not just the AAA rules policy.
The following procedure covers all policies you would need to configure to supply full authentication,
authorization, and accounting support for authorization proxy. You do not need to configure options for
features you do not need.
Related Topics
Understanding AAA Rules, page 15-1
Understanding How Users Authenticate, page 15-2
Creating a New Shared Policy, page 5-51
Modifying Policy Assignments in Policy View, page 5-51
Understanding Networks/Hosts Objects, page 6-74
Understanding Interface Role Objects, page 6-67
Understanding and Specifying Services and Service and Port List Objects, page 6-86
Understanding AAA Server and Server Group Objects, page 6-24
Understanding Interface Role Objects, page 6-67