Cisco PIX 500 Series Configuration Manual page 367

Chapter 19 Applying AAA for Network Access
After a user authenticates, the security appliance checks the authorization rules for matching traffic. If
the traffic matches the authorization statement, the security appliance sends the username to the
TACACS+ server. The TACACS+ server responds to the security appliance with a permit or a deny for
that traffic, based on the user profile. The security appliance enforces the authorization rule in the
response.
See the documentation for your TACACS+ server for information about configuring network access
authorizations for a user.
To configure TACACS+ authorization, perform the following steps:
Enable authentication. For more information, see the
Step 1
on page
Using the access-list command, create an access list that identifies the source addresses and destination
Step 2
addresses of traffic you want to authorize. For steps, see the
on page
The permit ACEs mark matching traffic for authorization, while deny entries exclude matching traffic
from authorization. The access list you use for authorization matching should contain rules that are equal
to or a subset of the rules in the access list used for authentication matching.
Note
Step 3 To enable authorization, enter the following command:
hostname(config)# aaa authorization match acl_name interface_name server_group
where acl_name is the name of the access list you created in
interface as specified with the nameif command or by default, and server_group is the AAA server group
you created when you enabled authentication.
Note
The following commands authenticate and authorize inside Telnet traffic. Telnet traffic to servers other
than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization.
hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
OL-12172-03
19-3. If you have already enabled authentication, continue to the next step.
16-5.
If you have configured authentication and want to authorize all the traffic being authenticated,
you can use the same access list you created for use with the aaa authentication match
command.
Alternatively, you can use the aaa authorization include command (which identifies traffic
within the command) but you cannot use both methods in the same configuration. See the Cisco
Security Appliance Command Reference for more information.
Configuring Authorization for Network Access
"Enabling Network Access Authentication" section
"Adding an Extended Access List" section
Step 2, interface_name is the name of the
Cisco Security Appliance Command Line Configuration Guide
19-9