Filter
Top Products
6-24
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 6 Managing Policy Objects
Understanding AAA Server and Server Group Objects
• Node—The display name of the device on which an override of the policy object is defined. If the
policy object is defined on the global level, the field is empty. When importing objects, if the display
name does not match a device already in the Security Manager inventory, the object is skipped and
not imported.
• Description—The description of the object, if any.
• Category—The category identifier of the object, if any. The category ID is from 10 to 19.
• Allow Override—Whether the object can be overridden. True if the policy object can be overridden
on device level, False (or an empty field) if not.
• Group—The names of other policy objects with the same type referenced by this policy object. If
there is more than one object, they are separated by commas. For example, network building block
Net1 references network building block Net2 and Net3. The Group field of Net1 would have
“Net2,Net3” as its value.
• Data—The content of the object.
• Subtype—The object subtype, if any, for network/host and service objects. For an explanation of
network/host and service object types, see Understanding Networks/Hosts Objects, page 6-74 and
Understanding and Specifying Services and Service and Port List Objects, page 6-86. Possible
values are:
–
Blank, or space—The object is a group object, either network/host or service.
–
NH—(Network/host objects only.) Single host network/host object.
–
NF—(Network/host objects only.) Single fully-qualified domain name (FQDN) network/host
object.
–
NN—(Network/host objects only.) Single network address network/host object.
–
NR—(Network/host objects only.) Single Address range network/host object.
–
SO—(Service objects only.) Single-service service object.
If there is no value for a particular field, that field is blank in the output. If there are multiple values for
a field, the field is enclosed in double quotation marks.
Understanding AAA Server and Server Group Objects
You use AAA server objects to identify the AAA servers used in your network. AAA enables devices to
determine who the user is (authentication), what the user is permitted to do (authorization), and what the
user actually did (accounting), as described below:
• Authentication—Authentication is the way a user is identified before being allowed access to the
network and network services. It controls access by requiring valid user credentials, which are
typically a username and password. All authentication methods, except for local, line password, and
enable authentication, must be defined through AAA. You can use authentication alone or with
authorization and accounting.
• Authorization—After authentication is complete, authorization controls the services and commands
available to each authenticated user. Authorization works by assembling a set of attributes that
describe what the user is authorized to perform. These attributes are compared to the information
contained in a database for a given user and the result is returned to AAA to determine the user’s
actual capabilities and restrictions. The database can be located locally on the access server or router
or it can be hosted remotely on a RADIUS or TACACS+ security server. Were you not to use
authorization, authentication alone would provide the same access to services to all authenticated
users. You must use authorization together with authentication.