Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
15-15
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 15 Managing Firewall AAA Rules
AAA Rules Page
Destinations Provide traffic destinations for this rule; can be networks or security
groups. As with Sources, you can enter values or object names, or
Select objects, for one or more destinations of Network and Security
Group (ASA 9.0+) type.
Services The services that define the type of traffic upon which to act. You can
enter or Select any combination of service objects and service types
(which are typically a protocol and port combination).
Enter more than one value by separating the items with commas.
It is important that you select the service type carefully based on the
device type:
For IOS devices, only the protocols you select with the
authorization proxy check boxes at the bottom of the dialog box are
used for AAA control, so you can use IP as the protocol.
For ASA, PIX, and FWSM devices, although you can force
authentication for any type of traffic, the security appliance
prompts only for HTTP/HTTPS, FTP, and Telnet traffic. If you
specify a service other than one of these, users are prevented from
making any connection through the appliance until they try one of
these services and successfully authenticate.
If the rule is only for accounting, you can specify any TCP or UDP
protocols for which you want to create records.
For complete information on how to specify services, see
Understanding and Specifying Services and Service and Port List
Objects, page 6-86.
Note Due to an issue in PIX 6.3 and FWSM devices, if you specify a
service with a source port, no traffic is authenticated.
Therefore, source ports are ignored when the CLI is generated
from your rule for these device types.
Interface The interface or interface role object that identifies the interface from
which to authenticate, authorize, or account users. Enter the name of
the interface or interface role, or click Select to select it from a list or
to create a new interface role object.
For authentication rules on ASA and PIX devices, you can modify how
this interface authenticates HTTP/HTTPS traffic by using the Firewall
> Settings > AAA Firewall policy. Configuring the interface as an
HTTP/HTTPS listening port can improve the authentication experience
for users. For more information, see Understanding How Users
Authenticate, page 15-2 and AAA Firewall Settings Page, Advanced
Setting Tab, page 15-19.
Description An optional description of the rule (up to 1024 characters).
Table 15-2 Add and Edit AAA Rules Dialog Boxes (Continued)
Element Description