15-17
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 15 Managing Firewall AAA Rules
AAA Rules Page
AAA Server Group (PIX,
ASA, FWSM)
The AAA server group policy object that defines the AAA server that
should provide authentication, authorization, or accounting for the
traffic defined in the rule. Enter the name of the policy object or click
Select to select it from a list or to create a new object.
You must select a type of server that can perform all actions defined in
the rule. For example, the local database (defined on the device) cannot
provide authorization services. If you use a RADIUS server for
authentication, it automatically provides authorization services, but
you cannot define an authorization rule that uses a RADIUS server.
You can use a mix of server groups for different actions for the same
source/destination pair by creating separate rules for the desired
combination of authentication, authorization, and accounting actions.
For more information on AAA server group objects, see Understanding
AAA Server and Server Group Objects, page 6-24.
Tips
• If you select Authenticate Action and User-Identity, but not the
Authorization or Accounting actions, any server you specify here
is ignored. Do not select a server to avoid validation warnings.
• AAA server groups for IOS devices are defined in other policies.
For a complete explanation of the configuration, see Configuring
AAA Rules for IOS Devices, page 15-7.
• You can right-click the Server Group cell in an existing AAA rule
and choose Edit Server Group to change your selections. See Edit
Server Group Dialog Box, page 15-18 for more information.
Category The category assigned to the rule. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-12.
Method (IOS)
(not presented for ASA 9.0+
devices)
Choose Auth-Proxy, HTTP-basic, or NTLM.
If you choose Auth-Proxy, the following options are available:
• HTTP
• FTP
• Telnet
Specify the protocols for which you want to enforce authentication
using the authentication proxy. If you select HTTP, you can also
configure HTTPS authentication proxy by enabling SSL on the device.
For specific information, see Configuring AAA Rules for IOS Devices,
page 15-7.
You can right-click the AuthProxy cell in an existing AAA rule and
choose Edit AuthProxy to change your selections. See AuthProxy
Dialog Box, page 15-18 for more information.
Table 15-2 Add and Edit AAA Rules Dialog Boxes (Continued)
Element Description