Filter
Top Products
CHAPTER
15-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
15
Managing Firewall AAA Rules
You can use Authentication, Authorization, and Accounting (AAA) rules to control access to network
resources based on user privileges rather than by IP addresses. If you configure authentication rules,
users must enter a username and password whenever they attempt to access a network behind the
protected device. Once authenticated, you can further require that the user account be checked to ensure
the user is authorized for network access. Finally, you can use accounting rules to track access for
billing, security, or resource allocation purposes.
AAA rule configuration is complex and requires that you configure more than just the AAA rules policy.
The following topics explain AAA rules in greater detail and include procedures that explain not only
the AAA rules policy configuration but also what you must configure in related policies:
• Understanding AAA Rules, page 15-1
• Understanding How Users Authenticate, page 15-2
• Configuring AAA Rules for ASA, PIX, and FWSM Devices, page 15-4
• Configuring AAA Rules for IOS Devices, page 15-7
• AAA Rules Page, page 15-10
• AAA Firewall Settings Policies, page 15-19
The following topics can help you with general rule table usage:
• Adding and Removing Rules, page 12-9
• Editing Rules, page 12-9
• Enabling and Disabling Rules, page 12-20
• Moving Rules and the Importance of Rule Order, page 12-19
Understanding AAA Rules
You can use Authentication, Authorization, and Accounting (AAA) rules to control access to network
resources based on user privileges rather than by IP addresses. AAA rules provide a different type of
control compared to traditional access rules; where access rules allow you to control which IP addresses
and services are allowed, AAA rules allow you to configure ACLs for each user to define the
authorization available on a user basis, regardless of the IP address from which the user connects. (These
per-user ACLs are configured in the AAA server, not in the AAA rule defined on the device.)
AAA rules policies differ from other device platform AAA policies in that AAA rules apply to traffic
that is passing through the device, not to traffic directed specifically at the device. By using AAA rules,
you can control entry into, or out of, a network. This might be useful if you have a network segment that