Configuring Authorization For Network Access; Configuring Tacacs+ Authorization - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 17
Applying AAA for Network Access
Configuring Authorization for Network Access
After a user authenticates for a given connection, the FWSM can use authorization to further control
traffic from the user.
This section includes the following topics:
•
•
Configuring TACACS+ Authorization
You can configure the FWSM to perform network access authorization with TACACS+.
After a user authenticates, the FWSM checks the authorization rules for matching traffic. If the traffic
matches the authorization statement, the FWSM sends the username to the TACACS+ server. The
TACACS+ server responds to the FWSM with information that the FWSM treats as a user-specific,
dynamic access list for that traffic, based on the user profile.
Note
If you have used the access-group command to apply access lists to interfaces, be aware of the following
effects of the per-user-override keyword on authorization by dynamic access lists:
•
•
For more information, see the access-group command entry in the Catalyst 6500 Series Switch and
Cisco 7600 Series Router Firewall Services Module Command Reference.
Authentication and authorization statements are independent; however, any unauthenticated traffic
matched by an authorization statement will be denied. For authorization to succeed, a user must first
authenticate with the FWSM.
We suggest that you identify the same traffic for authentication as for authorization. Due to the way the
Note
FWSM uses the dynamic access list, if you have a more restrictive authorization statement than
authentication, then some connections are unexpectedly denied. When a user first authenticates, if the
connection matches the authentication statement and not the authorization statement, then later
connections for that user that match the authorization statement are denied (for as long as the uauth
session exists). Conversely, if the first connection matches the authorization statement, then later
connections that do not match the authorization statement but that match the authentication statement
are denied. Therefore, you need to match the authentication and authorization configurations.
See the documentation for your TACACS+ server for information about configuring network access
authorizations for a user.
To configure TACACS+ authorization, perform the following steps:
Enable authentication. For more information, see the
Step 1
on page
To enable authorization, enter the following command:
Step 2
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Configuring TACACS+ Authorization, page 17-9
Configuring RADIUS Authorization, page 17-10
Without the per-user-override keyword, traffic for a user session must be permitted by both the
interface access list and the dynamic access list.
With the per-user-override keyword, the dynamic access list determines what is permitted.
17-3. If you have already enabled authentication, continue to the next step.
Configuring Authorization for Network Access
"Enabling Network Access Authentication" section
17-9
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
