Filter
Top Products
15-9
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 15 Managing Firewall AAA Rules
Configuring AAA Rules for IOS Devices
Step 4 If you did not select the right row before adding the rule, select the new rule and use the up and down
arrow buttons to position the rule appropriately. For more information, see Moving Rules and the
Importance of Rule Order, page 12-19.
Step 5 Select Firewall > Settings > AuthProxy (in Device or Policy view) to open the AAA Page, page 15-25.
Configure the authentication proxy settings:
• Authorization server groups—If you want all of your authentication rules to also perform user
authorization, specify the list of AAA server group policy objects that identify the TACACS+ or
RADIUS servers that control authorization. You can also specify LOCAL to use the user database
defined on the device. If you do not specify a server group, authorization is not performed.
Tip You must configure per-user ACLs in your AAA server to define the privileges you want to apply
to each user. When configuring authorization, specify auth-proxy as the service (e.g. service =
auth-proxy), with a privilege level of 15. For more information on configuring the AAA server,
including information on configuring authentication proxy in general, see the “Configuring the
Authentication Proxy” section in the Cisco IOS Security Configuration Guide: Securing User
Services, Release 12.4T at
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_authen_
prxy_ps6441_TSD_Products_Configuration_Guide_Chapter.html.
• Accounting server groups—If you want to perform accounting for all of your authentication rules,
specify the list of AAA server group policy objects that identify the TACACS+ or RADIUS servers
that perform accounting. If you do not specify a server group, no accounting is performed. When
performing accounting, also configure the following options as appropriate:
–
If you specify more than one server group, consider selecting Use Broadcast for Accounting.
This option sends accounting records to the primary server in each server group.
–
The Accounting Notice option defines when the server is notified. The default is to notify the
server at the start and stop of a connection, but you can select to only send stop notices (or none
at all).
• You can also customize authentication banners for each service, and on the Timeout tab, you can
change the default idle and absolute session timeouts globally or for each interface.
Step 6 Select Platform > Device Admin > AAA (in policy view, this is in the Router Platform folder) to open
the AAA Policy Page, page 60-6. Configure these options on the Authentication tab:
• Select Enable Device Login Authentication.
• Enter the list of server groups that will control authentication in priority order. Typically, you will
use at least some of the same LDAP, RADIUS, or TACACS+ server groups used in the AuthProxy
policy. However, this policy also defines device login control, so you might want to include some
other server groups. For more information, see AAA Page—Authentication Tab, page 60-6.
Step 7 If you are using the authentication proxy with HTTP connections, and you also want to use the proxy
with HTTPS connections, select Platform > Device Admin > Device Access > HTTP (in policy view,
this is in the Router Platform folder) to open the HTTP Policy Page, page 60-31. Configure these
options:
• Select Enable HTTP and Enable SSL if they are not already selected.
• On the AAA tab, ensure that the configuration for login access to the device is appropriate. If you
are using AAA to control access through the device, you might want to use it for access to the device.