Cisco 7604 Configuration Guide - Page 353
Configuring Authorization for Network Access, Configuring TACACS+ Authorization
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 353 highlights
Chapter 17 Applying AAA for Network Access Configuring Authorization for Network Access Configuring Authorization for Network Access After a user authenticates for a given connection, the FWSM can use authorization to further control traffic from the user. This section includes the following topics: • Configuring TACACS+ Authorization, page 17-9 • Configuring RADIUS Authorization, page 17-10 Configuring TACACS+ Authorization You can configure the FWSM to perform network access authorization with TACACS+. After a user authenticates, the FWSM checks the authorization rules for matching traffic. If the traffic matches the authorization statement, the FWSM sends the username to the TACACS+ server. The TACACS+ server responds to the FWSM with information that the FWSM treats as a user-specific, dynamic access list for that traffic, based on the user profile. Note If you have used the access-group command to apply access lists to interfaces, be aware of the following effects of the per-user-override keyword on authorization by dynamic access lists: • Without the per-user-override keyword, traffic for a user session must be permitted by both the interface access list and the dynamic access list. • With the per-user-override keyword, the dynamic access list determines what is permitted. For more information, see the access-group command entry in the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference. Authentication and authorization statements are independent; however, any unauthenticated traffic matched by an authorization statement will be denied. For authorization to succeed, a user must first authenticate with the FWSM. Note We suggest that you identify the same traffic for authentication as for authorization. Due to the way the FWSM uses the dynamic access list, if you have a more restrictive authorization statement than authentication, then some connections are unexpectedly denied. When a user first authenticates, if the connection matches the authentication statement and not the authorization statement, then later connections for that user that match the authorization statement are denied (for as long as the uauth session exists). Conversely, if the first connection matches the authorization statement, then later connections that do not match the authorization statement but that match the authentication statement are denied. Therefore, you need to match the authentication and authorization configurations. See the documentation for your TACACS+ server for information about configuring network access authorizations for a user. To configure TACACS+ authorization, perform the following steps: Step 1 Step 2 Enable authentication. For more information, see the "Enabling Network Access Authentication" section on page 17-3. If you have already enabled authentication, continue to the next step. To enable authorization, enter the following command: OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 17-9