Configuring Aaa; Aaa Overview - Cisco Catalyst 6500 Series Configuration Manual

Configuring AAA

Authentication, authorization, and accounting (AAA) tell the Firewall Services Module (FWSM) who
the user is, what the user can do, and what the user did. This chapter contains the following sections:
•
•
•
•
•
•
•
•
•
•
•
See the
Note
that are allowed for the entire system.

AAA Overview

AAA provides an extra level of protection and control for user access than using ACLs alone. For
example, you can create an ACL allowing all outside users to access Telnet on a server on the DMZ
network. If you want only some users to access the server, and you do not know their IP addresses, you
can enable AAA to allow only authenticated and/or authorized users to make it through the FWSM. (The
Telnet server has its own authentication; the FWSM prevents unauthorized users from attempting to
access the server.)
You can use authentication alone or with authorization and accounting. Authorization always requires a
user to be authenticated first. You can use accounting alone, or with authentication and authorization.
This section includes the following topics:
•
•
OL-6392-01
AAA Overview, page 12-1
Configuring the Local Database, page 12-6
Identifying a AAA Server, page 12-6
Configuring Authentication for CLI Access, page 12-8
Configuring Authentication to Access Privileged Mode, page 12-8
Configuring Command Authorization, page 12-10
Viewing the Current Logged-In User, page 12-18
Recovering from a Lockout, page 12-19
Configuring Authentication for Network Access, page 12-20
Configuring Authorization for Network Access, page 12-23
Configuring Accounting for Network Access, page 12-27
"Rule Limits" section on page A-5
AAA Performance, page 12-2
About Authentication, page 12-2
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
C H A P T E R
for information about the maximum number of AAA rules
12
12-1