Configuring Authorization for Network Access
hostname(config)# aaa authorization match acl_name interface_name server_group
where acl_name is the name of the access list you created for authentication, interface_name is the name
of the interface as specified with the nameif command or by default, and server_group is the AAA server
group you created when you enabled authentication.
The following commands authenticate and authorize inside Telnet traffic.
hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
hostname(config)# aaa authorization match TELNET_AUTH inside AuthOutbound
Configuring RADIUS Authorization
When authentication succeeds, the RADIUS protocol returns user authorizations in the access-accept
packet sent by a RADIUS server. For more information about configuring authentication, see the
"Configuring Authentication for Network Access" section on page
When you configure the FWSM to authenticate users for network access, you are also implicitly enabling
RADIUS authorizations; therefore, this section contains no information about configuring RADIUS
authorization on the FWSM. It does provide information about how the FWSM handles dynamic,
user-specific access list information received from RADIUS servers.
You can configure a RADIUS server to download an access list to the FWSM or an access list name at
the time of authentication. The user is authorized to do only what is permitted in the dynamic access list.
If you have used the access-group command to apply access lists to interfaces, be aware of the following
Note
effects of the per-user-override keyword on authorization by dynamic access lists:
•
•
For more information, see the access-group command entry in the Catalyst 6500 Series Switch and
Cisco 7600 Series Router Firewall Services Module Command Reference.
This section includes the following topics:
•
•
Configuring a RADIUS Server to Download Per-User Access Control Lists
This section describes how to configure Cisco Secure ACS or a third-party RADIUS server, and includes
the following topics:
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
17-10
Without the per-user-override keyword, traffic for a user session must be permitted by both the
interface access list and the dynamic access list.
With the per-user-override keyword, the dynamic access list determines what is permitted.
Configuring a RADIUS Server to Download Per-User Access Control Lists, page 17-10
Configuring a RADIUS Server to Download Per-User Access Control List Names, page 17-12
Configuring Cisco Secure ACS for Downloadable Access Lists, page 17-11
Chapter 17
Applying AAA for Network Access
17-1.
OL-20748-01