Filter
Top Products
15-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 15 Managing Firewall AAA Rules
Configuring AAA Rules for ASA, PIX, and FWSM Devices
• (Device view) Select Firewall > AAA Rules from the Policy selector.
• (Policy view) Select Firewall > AAA Rules from the Policy Type selector. Select an existing policy
or create a new one.
Step 2 Select the row after which you want to create the rule and click the Add Row button or right-click and
select Add Row. This opens the Add and Edit AAA Rule Dialog Boxes, page 15-13.
Tip If you do not select a row, the new rule is added at the end of the local scope. You can also select
an existing row and edit either the entire row or specific cells. For more information, see Editing
Rules, page 12-9.
Step 3 Configure the rule. Following are the highlights of what you typically need to decide. For specific
information on configuring the fields, see Add and Edit AAA Rule Dialog Boxes, page 15-13.
• Authentication (with or without User-Identity), Authorization, or Accounting Action—Select the
options applicable for this rule. Authentication prompts the user for a username and password when
attempting HTTP, HTTPS, FTP, or Telnet access. Authorization is an additional level, where after
the user authenticates, the AAA server is checked to ensure that the user is authorized for that type
of access. Accounting generates usage records in the AAA server and can be used for billing,
security, or resource allocation purposes. You can generate accounting information for any TCP or
UDP traffic.
When you select Authentication, you can also select User-Identity (ASA 8.4(2+) only). This option
indicates that the ASA should use the Active Directory servers configured in the identity-firewall
domain mappings to authenticate users (see Identifying Active Directory Servers and Agents,
page 13-8). If the user enters a domain name, the AD server associated with the domain is queried.
Otherwise, the AD server associated with the default domain is queried. When you select
User-Identity, and you do not select Authorization or Accounting, do not specify a AAA server
group.
• Permit or Deny—Whether you are subjecting the identified traffic to AAA control (permit) or you
are exempting it from AAA control (deny). Any denied traffic is not prompted for authentication
and is allowed to pass unauthenticated, although your access rules might drop the traffic.
• Source and Destination addresses—If the rule should apply no matter which addresses generated the
traffic or their destinations, use “All-Addresses” as the source or destination. If the rule is specific
to a host or network, enter the addresses or network/host objects. For information on the accepted
address formats, see Specifying IP Addresses During Policy Definition, page 6-81.
• Source and Destination Security Groups (ASA 9.0+ only)—You can specify TrustSec security
groups used to filter traffic in addition to the source and destination addresses. See Selecting
Security Groups in Policies, page 14-13, Configuring TrustSec-Based Firewall Rules, page 14-13
and Creating Security Group Objects, page 14-12 for more information about security groups.
• Source Users (ASA 8.4.2+ only)—You can further define the traffic source by specifying Active
Directory (AD) user names (in the format NetBIOS_DOMAIN\username), user groups
(NetBIOS_DOMAIN\\user_group), or identity user group objects that define the names and groups.
The user specification is conjoined to the source address to limit the match to user addresses within
the source address range. For more information, see Configuring Identity-Based Firewall Rules,
page 13-21 and Creating Identity User Group Objects, page 13-19.
• Services—You can specify any type of service for authentication and authorization rules; however,
the user is prompted to authenticate only for HTTP, HTTPS, FTP, and Telnet connections. Thus, if
you specify something other than these services, the user must first attempt one of these connections