Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
15-16
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 15 Managing Firewall AAA Rules
AAA Rules Page
The Authentication Action, Authorization Action, and Accounting Action check boxes define the types
of rules that will be generated on the device. Each type generates a separate set of commands, but if
you select more than one option, your other selections in this dialog box are limited to those supported
by all selected actions.
You can right-click the Action cell in an existing AAA rule and choose Edit Action to change your
selections. See Edit AAA Option Dialog Box, page 15-18 for more information.
Authentication Action
User-Identity
Authentication—Users must supply a user name and password to
make a connection through the device. For ASA, PIX, and FWSM
devices, what you enter in the Services field determines which
protocols require authentication, although the device will prompt
only for HTTP, HTTPS, FTP, and Telnet connections. For IOS
devices, the protocols that require authentication are based on the
authorization proxy check boxes you select at the bottom of the
dialog box.
User-Identity (ASA 8.4(2+) only.)—For ASA devices, when
you select Authentication Action, you also have the option to
select User-Identity. This option indicates that the device
should use the identity-firewall domain mappings defined in
the Identity Options policy to authenticate users instead of the
AAA Server Group setting in the AAA rule. If the user enters
a domain name, the AD server associated with the domain is
queried. Otherwise, the AD server associated with the default
domain is queried. See Identifying Active Directory Servers
and Agents, page 13-8.
Authorization Action
(PIX/ASA/FWSM)
Authorization—After successful authentication, the AAA server is also
checked to determine if the user is authorized to make the requested
connection. If you specify a RADIUS server for authentication rules,
authorization happens without you having to configure authorization
rules. If you are using a TACACS+ server, you must create separate
authorization rules.
Accounting Action
(PIX/ASA/FWSM)
Accounting—Accounting records will be sent to the TACACS+ or
RADIUS server for the TCP and UDP protocols specified in the
Services field. If you also configure authentication, these records are
per-user; otherwise, they are based on IP address. For IOS devices,
accounting is configured in the Firewall > Settings >ScanSafe Web
Security policy, not in AAA rules, and applies only to the protocols you
select for authentication proxy.
Table 15-2 Add and Edit AAA Rules Dialog Boxes (Continued)
Element Description