15-25
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter15 Managing Firewall AAA Rules
AAA Firewall Settings Policies
AAA Page
Use the AAA firewall settings policy to identify the servers and banners to use for the authentication
proxy and to configure non-default timeout values. The authentication proxy for IOS devices is a service
that forces users to log in and authenticate when trying to make HTTP, Telnet, or FTP connections
through an IOS device. The settings you configure here work in conjunction with your AAA rules; only
if a AAA rule requires user authentication for one of these services does your AuthProxy settings come
into play.
Ensure that your configuration of this policy is consistent with your Firewall > AAA Rules policy.
Additionally, you must use the Platform > Device Admin > AAA policy to define the AAA server
groups to use for authenticating user access; this policy defines only the authorization and accounting
server groups. If you also want to use authorization proxy for HTTPS access, you must enable SSL and
configure AAA in the Platform > Device Admin > Device Access > HTTP policy in addition to
enabling HTTP authorization proxy in your AAA rules policy.
Tip You must configure per-user ACLs in your AAA server to define the privileges you want to apply to each
user. When configuring authorization, specify AAA as the service (e.g. service = AAA), with a privilege
level of 15. For more information on configuring the AAA server, including information on configuring
authentication proxy in general, see the “Configuring the Authentication Proxy” section in the Cisco IOS
Security Configuration Guide: Securing User Services, Release 12.4T at
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_authen_prxy_ps
6441_TSD_Products_Configuration_Guide_Chapter.html.
Navigation Path
To access the AAA page, do one of the following:
(Device view) Select a device, then select Firewall > Settings > AAA from the Policy selector.
(Policy view) Select Firewall > Settings > AAA from the Policy Type selector. Create a new policy
or select an existing one.
(Map view) Right-click a device and select Edit Firewall Settings > AAA.
Related Topics
Understanding AAA Rules, page 15-1
Understanding How Users Authenticate, page 15-2
Configuring AAA Rules for IOS Devices, page 15-7
Field Reference
Table15-8 AAA Firewall Settings Policy
Element Description
Virtual IP Address You use the Virtual IP Address only in communications between the
IOS HTTP authentication and clients. For the system to operate
correctly, the virtual IP address must be set (it cannot be 0.0.0.0), and
no other device on the network can have the same address. Configure
with an unassigned and unused gateway IP address, such as 1.1.1.1.