Cisco FirePOWER ASA 5500 series Configuration Manual page 338

Configuring Authorization for Network Access
Using access lists to identify traffic to be authorized can greatly reduced the number of authorization
Tip
commands you must enter. This is because each authorization rule you enter can specify only one source
and destination subnet and service, whereas an access list can include many entries.
Authentication and authorization statements are independent; however, any unauthenticated traffic
matched by an authorization statement will be denied. For authorization to succeed, a user must first
authenticate with the security appliance. Because a user at a given IP address only needs to authenticate
one time for all rules and types, if the authentication session hasn't expired, authorization can occur even
if the traffic is matched by an authentication statement.
After a user authenticates, the security appliance checks the authorization rules for matching traffic. If
the traffic matches the authorization statement, the security appliance sends the username to the
TACACS+ server. The TACACS+ server responds to the security appliance with a permit or a deny for
that traffic, based on the user profile. The security appliance enforces the authorization rule in the
response.
See the documentation for your TACACS+ server for information about configuring network access
authorizations for a user.
To configure TACACS+ authorization, perform the following steps:
Enable authentication. For more information, see the
Step 1
on page
Using the access-list command, create an access list that identifies the source addresses and destination
Step 2
addresses of traffic you want to authorize. For steps, see the
on page
The permit ACEs mark matching traffic for authorization, while deny entries exclude matching traffic
from authorization. The access list you use for authorization matching should contain rules that are equal
to or a subset of the rules in the access list used for authentication matching.
Note
Step 3 To enable authorization, enter the following command:
hostname(config)# aaa authorization match acl_name interface_name server_group
where acl_name is the name of the access list you created in
interface as specified with the nameif command or by default, and server_group is the AAA server group
you created when you enabled authentication.
Note
The following commands authenticate and authorize inside Telnet traffic. Telnet traffic to servers other
than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization.
Cisco Security Appliance Command Line Configuration Guide
19-6
19-3. If you have already enabled authentication, continue to the next step.
16-5.
If you have configured authentication and want to authorize all the traffic being authenticated,
you can use the same access list you created for use with the aaa authentication match
command.
Alternatively, you can use the aaa authorization include command (which identifies traffic
within the command) but you cannot use both methods in the same configuration. See the Cisco
Security Appliance Command Reference for more information.
Chapter 19 Applying AAA for Network Access
"Enabling Network Access Authentication" section
"Adding an Extended Access List" section
Step 2, interface_name is the name of the
OL-10088-01