Configuring Authorization For Network Access; Configuring Tacacs+ Authorization - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Configuring Authorization for Network Access
For outbound users, there is an explicit permit for traffic, but if you apply an access list to an inside
interface, be sure to allow access to the virtual Telnet address. A static statement is not required.
To logout from the security appliance, reconnect to the virtual Telnet IP address; you are prompted to
log out.
This example shows how to enable virtual Telnet along with AAA authentication for other services:
hostname(config)# virtual telnet 209.165.202.129
hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.200.225 eq smtp
hostname(config)# access-list ACL-IN remark This is the SMTP server on the inside
hostname(config)# access-list ACL-IN extended permit tcp any host 209.165.202.129 eq
telnet
hostname(config)# access-list ACL-IN remark This is the virtual Telnet address
hostname(config)# access-group ACL-IN in interface outside
hostname(config)# static (inside, outside) 209.165.202.129 209.165.202.129 netmask
255.255.255.255
hostname(config)# access-list AUTH extended permit tcp any host 209.165.200.225 eq smtp
hostname(config)# access-list AUTH remark This is the SMTP server on the inside
hostname(config)# access-list AUTH extended permit tcp any host 209.165.202.129 eq telnet
hostname(config)# access-list AUTH remark This is the virtual Telnet address
hostname(config)# aaa authentication match AUTH outside tacacs+
Configuring Authorization for Network Access
After a user authenticates for a given connection, the security appliance can use authorization to further
control traffic from the user.
This section includes the following topics:
•
•
Configuring TACACS+ Authorization
You can configure the security appliance to perform network access authorization with TACACS+. You
identify the traffic to be authorized by specifying access lists that authorization rules must match.
Alternatively, you can identify the traffic directly in authorization rules themselves.
Using access lists to identify traffic to be authorized can greatly reduced the number of authorization
Tip
commands you must enter. This is because each authorization rule you enter can specify only one source
and destination subnet and service, whereas an access list can include many entries.
Authentication and authorization statements are independent; however, any unauthenticated traffic
matched by an authorization statement will be denied. For authorization to succeed, a user must first
authenticate with the security appliance. Because a user at a given IP address only needs to authenticate
one time for all rules and types, if the authentication session hasn't expired, authorization can occur even
if the traffic is matched by an authentication statement.
Cisco Security Appliance Command Line Configuration Guide
19-8
Configuring TACACS+ Authorization, page 19-8
Configuring RADIUS Authorization, page 19-10
Chapter 19
Applying AAA for Network Access
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
