Cisco ASA Series Cli Configuration Manual page 1044

Configuring Authorization for Network Access
Command
Step 5
aaa local authentication attempts max-fail number
Example:
hostname(config)# aaa local authentication attempts
max-fail 7
Step 6
access-list
Example:
hostname(config)# access-list TELNET_AUTH extended
permit tcp any any eq telnet
Step 7
aaa authorization match acl_name interface_name
server_group
Example:
hostname(config)# aaa authentication match
TELNET_AUTH inside AuthOutbound
Examples
The following example authenticates and authorizes inside Telnet traffic. Telnet traffic to servers other
than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization.
hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
Cisco ASA Series CLI Configuration Guide
1-16
Chapter 1 Configuring AAA Rules for Network Access
Purpose
(Optional) Uses the local database for network
access authentication and limits the number of
consecutive failed login attempts that the ASA
allows any given user account (with the exception of
users with a privilege level of 15. This feature does
not affect level 15 users). The number argument
value is between 1 and 16.
Tip
To clear the lockout status of a specific user
or all users, use the clear aaa local user
lockout command.
Create an access list that identifies the source
addresses and destination addresses of traffic that
you want to authorize. For instructions, see
Chapter 1, "Adding an Extended Access Control
List."
The permit ACEs mark matching traffic for
authorization, while deny entries exclude matching
traffic from authorization. The access list that you
use for authorization matching should include rules
that are equal to or a subset of the rules in the access
list used for authentication matching.
Note
If you have configured authentication and
want to authorize all the traffic being
authenticated, you can use the same access
list that you created for use with the aaa
authentication match command.
Enables authorization.
The acl_name argument is the name of the access
list you created in Step 6, the interface_name
argument is the name of the interface as specified
with the nameif command or by default, and the
server_group argument is the AAA server group that
you created when you enabled authentication.
Note
Alternatively, you can use the aaa
authorization include command (which
identifies traffic within the command) but
you cannot use both methods in the same
configuration. See the command reference
for more information.