Aaa Performance; About Authentication; About Authorization; Chapter 12 Configuring Aaa - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
AAA Overview
•
•
•
AAA Performance
The FWSM uses "cut-through proxy" to significantly speed up performance compared to a traditional
proxy server. The performance of a traditional proxy server suffers because it analyzes every packet at
the application layer of the Open System Interconnection (OSI) model. The FWSM cut-through proxy
challenges a user initially at the application layer and then authenticates against standard Remote
Authentication Dial-In User Service
Plus (TACACS+), or a local database. After the FWSM checks the policy, the FWSM shifts the session
flow, and all traffic flows directly and quickly between the two parties while maintaining session state
information.
About Authentication
Authentication lets you control access by requiring a valid username and password. You can configure
the FWSM to authenticate the following items:
•
•
•
A user at a given IP address only needs to authenticate one time for all rules and types, until the
authentication session expires. (See the timeout uauth command in the Catalyst 6500 Series Switch and
Cisco 7600 Series Router Firewall Services Module Command Reference for timeout values.) For
example, if you configure the FWSM to authenticate Telnet and FTP, and a user first successfully
authenticates for Telnet, then as long as the session exists, the user does not also have to authenticate for
FTP. See the
section on page 12-27
About Authorization
Authorization lets you control access per user after you authenticate with a valid username and
password. You can configure the FWSM to authorize the following items:
•
•
Authorization lets you control which services and commands are available to an individual user.
Authentication alone provides the same access to services for all authenticated users.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
12-2
About Authorization, page 12-2
About Accounting, page 12-3
AAA Server and Local Database Support, page 12-4
All administrative connections to the FWSM including the following sessions:
–
Telnet
SSH
–
PDM (using HTTPS)
–
VPN management access (see the
–
more information about using AAA with VPN)
The enable command
Network access through the FWSM
"FWSM/contexta(config)# aaa accounting match SERVER_AUTH inside AuthOutbound"
for more information about authentication sessions.
Management commands
Network access through the FWSM
(
RADIUS), Terminal Access Controller Access Control System
"Configuring VPN Client Access" section on page 11-7
Chapter 12
Configuring AAA
for
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
