Configuring Tacacs+ Authorization - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Configuring Authorization for Network Access
This section includes the following topics:
•
•
Configuring TACACS+ Authorization
The FWSM lets you configure network access authorization using TACACS+. You can identify the
traffic that needs to be authorized in the authorization rule, or by matching an ACL name. Authorization
rules can include only one source and destination subnet and service, while an ACL can include many
entries.
For all traffic that you want to authorize, a user must first authenticate with the FWSM for that traffic.
You can choose to authenticate, but not authorize, some traffic; be sure that the authorization rules are
equal to or a subset of the authentication rules. See the
Access" section on page 12-20
After a user authenticates, the FWSM checks the authorization rules for matching traffic. If the traffic
matches the authorization statement, the FWSM sends the username to the TACACS+ server. The
TACACS+ server responds to the FWSM with a permit or a deny for that traffic, based on the user's
profile. See the TACACS+ server documentation for information about configuring network access
restrictions for a user.
To configure authorization, enter the following command:
FWSM/contexta(config)# aaa authorization match acl_name interface_name server_group
Identify the source addresses and destination addresses using an extended ACL. Create the ACL using
the access-list command (see the
The permit access control entries (ACEs) mark matching traffic for authorization, while deny entries
exclude matching traffic from authorization.
Note
You can alternatively use the aaa authorization include command (which identifies traffic within the
command). However, you cannot use both methods in the same configuration. See the Catalyst 6500
Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more
information.
The following commands authenticate and authorize inside Telnet traffic. Telnet traffic to servers other
than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization:
FWSM/contexta(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
FWSM/contexta(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5
eq telnet
FWSM/contexta(config)# aaa-server AuthOutbound protocol tacacs+
FWSM/contexta(config)# aaa-server AuthOutbound (inside) host 10.1.1.1 TheUauthKey
FWSM/contexta(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
FWSM/contexta(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
12-24
Configuring TACACS+ Authorization, page 12-24
Configuring RADIUS Authorization, page 12-25
"Configuring Authentication for Network
to configure authentication.
"Adding an Extended Access Control List" section on page
Chapter 12
Configuring AAA
10-13).
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
