Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
13-25
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 13 Managing Identity-Aware Firewall Policies
Configuring Identity-Aware Firewall Policies
(Policy view) Select Firewall > AAA Rules from the Policy Type selector. Select an existing policy
or create a new one.
Step 3 Create the following rules using the Add Row button. For detailed information about the fields in the
Add AAA Rules dialog box, see Add and Edit AAA Rule Dialog Boxes, page 15-13.
Tip You can use more specific source, destination, or service specifications than the ones shown
here.
Rule 1: Do not force users who have already authenticated to authenticate again.
Select the Authentication Action and User-Identity options.
Action = Deny. For AAA authentication rules, “deny” means the user is not prompted for
authentication, it does not mean the user’s traffic is dropped.
Sources = any.
Users = all-auth-users.
For users, all-auth-users means any user who has already authenticated to Active Directory, for
which there is an IP mapping.
Destination = any.
Services = IP.
AAA Server Group = (no selection).
Interface = (your choice, typically inside interfaces).
Rule 2: Authenticate users who have not been authenticated yet.
Select the Authentication Action and User-Identity options.
Action = Permit. This action requires matching users to authenticate.
User = all-unauth-users.
In this case, all-unauth-users means any user who has not already authenticated to Active
Directory.
All other options are identical to the first rule.
Collecting User Statistics
You can collect user statistics accounting information for identity-based firewall policies. These
statistics are kept for users to which a firewall policy is applied based on username or user group
membership.
Related Topics
Requirements for Identity-Aware Firewall Policies, page 13-3
Configuring the Firewall to Provide Identity-Aware Services, page 13-7
IPS, QoS, and Connection Rules Page, page 56-5
Configuring Traffic Flow Objects, page 56-16