15-23
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 15 Managing Firewall AAA Rules
AAA Firewall Settings Policies
AAA Firewall Page, MAC-Exempt List Tab
Use the MAC Exempt List tab of the AAA Firewall settings policy to identify hosts that should be
exempt from authentication and authorization for ASA, PIX, and FWSM 3.x+ devices. For example, if
the security appliance authenticates TCP traffic originating on a particular network but you want to allow
unauthenticated TCP connections from a specific server, create a rule permitting traffic from the MAC
address of the server.
You can use masks to create rules for groups of MAC addresses. For example, if you want to exempt all
Cisco IP phones whose MAC addresses start with 0003.e3, create a permit rule for 0003.e300.0000 with
the mask ffff.ff00.0000. (An f in a mask exactly matches the corresponding number in the address,
whereas a 0 matches anything.)
Deny rules are necessary only if you are permitting a group of MAC addresses but there are some
addresses within the permitted group that you want to require to use authentication and authorization.
Deny rules do not prohibit traffic; they simply require the host to go through normal authentication and
authorization. For example, if you want to allow all hosts with MAC addresses that start with 00a0.c95d,
but you want to force 00a0.c95d.0282 to use authentication and authorization, enter these rules in order:
1. Deny 00a0.c95d.0282 ffff.ffff.ffff
2. Permit 00a0.c95d.0000 ffff.ffff.0000
When you deploy the policy to the device, these entries are configured using the mac-list and aaa
mac-exempt commands.
Tip The MAC exempt list is processed on a first match basis. Thus, the order of entries matters. If you want
to permit a group of MAC addresses, but deny a subset of them, the deny rule must come before the
permit rule. However, Security Manager does not allow you to order MAC exempt rules: they are
implemented in the order shown. If you sort the table, your policy changes. If your entries do not depend
on each other, this does not matter. Otherwise, ensure that you enter rows in the proper order.
Navigation Path
To access the MAC Exempt List tab, do one of the following:
• (Device view) Select an ASA, PIX, or FWSM device, then select Firewall > Settings > AAA
Firewall. Select the MAC-Exempt List tab.
• (Policy view) Select Firewall > Settings > AAA Firewall from the Policy Type selector. Create a
new policy or select an existing one, then select the MAC-Exempt List tab.
• (Map view) Right-click an ASA, PIX, or FWSM device and select Edit Firewall Settings > AAA
Firewall, then select the MAC-Exempt List tab.
Related Topics
• Configuring AAA Rules for ASA, PIX, and FWSM Devices, page 15-4
• Filtering Tables, page 1-45
Field Reference
Table 15-6 MAC-Exempt List Tab, AAA Firewall Settings Page
Element Description
MAC-Exempt List Name The name of the MAC exempt list.