Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
15-8
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 15 Managing Firewall AAA Rules
Configuring AAA Rules for IOS Devices
Step 1 Do one of the following to open the AAA Rules Page, page 15-10:
(Device view) Select Firewall > AAA Rules from the Policy selector.
(Policy view) Select Firewall > AAA Rules from the Policy Type selector. Select an existing policy
or create a new one.
Step 2 Select the row after which you want to create the rule and click the Add Row button or right-click and
select Add Row. This opens the Add and Edit AAA Rule Dialog Boxes, page 15-13.
Tip If you do not select a row, the new rule is added at the end of the local scope. You can also select
an existing row and edit either the entire row or specific cells. For more information, see Editing
Rules, page 12-9.
Step 3 Configure the rule. Following are the highlights of what you typically need to decide. For specific
information on configuring the fields, see Add and Edit AAA Rule Dialog Boxes, page 15-13.
Authentication Action—Select this option. Authentication rules are the only type of rule you can
configure in the AAA rules policy for IOS devices.
Permit or Deny—Whether you are subjecting the identified traffic to AAA control (permit) or you
are exempting it from AAA control (deny). Any denied traffic is not prompted for authentication
and is allowed to pass unauthenticated, although your access rules might drop the traffic.
Source and Destination addresses—If the rule should apply no matter which addresses generated the
traffic or their destinations, use “All-Addresses” as the source or destination. If the rule is specific
to a host or network, enter the addresses or network/host objects. For information on the accepted
address formats, see Specifying IP Addresses During Policy Definition, page 6-81.
Source and Destination Security Groups (ASA 9.0+ only)—You can specify TrustSec security
groups used to filter traffic in addition to the source and destination addresses. See Selecting
Security Groups in Policies, page 14-13, Configuring TrustSec-Based Firewall Rules, page 14-13
and Creating Security Group Objects, page 14-12 for more information about security groups.
Source Users (ASA 8.4.2+ only)—You can further define the traffic source by specifying Active
Directory (AD) user names (in the format NetBIOS_DOMAIN\username), user groups
(NetBIOS_DOMAIN\\user_group), or identity user group objects that define the names and groups.
The user specification is conjoined to the source address to limit the match to user addresses within
the source address range. For more information, see Configuring Identity-Based Firewall Rules,
page 13-21 and Creating Identity User Group Objects, page 13-19.
Services—You can specify any type of service for authentication and authorization rules; however,
the user is prompted to authenticate only for HTTP, HTTPS, FTP, and Telnet connections. Thus, if
you specify something other than these services, the user must first attempt one of these connections
and successfully authenticate (and be authorized, if you include that action) before any other types
of connections are allowed. For accounting rules, you can specify any TCP or UDP service (or
simply TCP and UDP themselves), if you want to account for all types of traffic.
Interfaces—The interface or interface role for which you are configuring the rule.
Service triggering the authentication proxy—Select the checkboxes for the type of traffic you want
to trigger user authentication: HTTP, FTP, or Telnet. You can select any combination. If you want to
trigger the proxy for HTTPS support, select HTTP and perform the HTTPS configuration that is
explained in a subsequent step in this procedure.
Click OK when you are finished defining your rule.