Chapter 12
Configuring AAA
Configuring the RADIUS Server to Download Per-User Access Control List Names
To download a name for an ACL that you already created on the FWSM from the RADIUS server when
a user authenticates, configure RADIUS attribute 11 (filter-id) as follows:
filter-id= acl_name
See the
FWSM.
Configuring Accounting for Network Access
The FWSM can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP
traffic that passes through the FWSM. If that traffic is also authenticated, then the AAA server can
maintain accounting information by username. If the traffic is not authenticated, the AAA server can
maintain accounting information by IP address. Accounting information includes when sessions start
and stop, the AAA client messages and username, the number of bytes that pass through the FWSM for
the session, the service used, and the duration of each session.
To configure accounting, enter the following command:
FWSM/contexta(config)# aaa accounting match acl_name interface_name server_group
Identify the source addresses and destination addresses using an extended ACL. Create the ACL using
the access-list command (see the
The permit access control entries (ACEs) mark matching traffic for accounting, while deny entries
exclude matching traffic from accounting.
You can alternatively use the aaa accounting include command (which identifies traffic within the
Note
command). However, you cannot use both methods in the same configuration. See the Catalyst 6500
Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more
information.
The following commands authenticate, authorize, and account for inside Telnet traffic. Telnet traffic to
servers other than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires
authorization and accounting:
FWSM/contexta(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
FWSM/contexta(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5
eq telnet
FWSM/contexta(config)# aaa-server AuthOutbound protocol tacacs+
FWSM/contexta(config)# aaa-server AuthOutbound (inside) host 10.1.1.1 TheUauthKey
FWSM/contexta(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
FWSM/contexta(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
FWSM/contexta(config)# aaa accounting match SERVER_AUTH inside AuthOutbound
OL-6392-01
"Adding an Extended Access Control List" section on page 10-13
"Adding an Extended Access Control List" section on page
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Configuring Accounting for Network Access
to create an ACL on the
10-13).
12-27