Configuring authorization for network access, Configuring tacacs+ authorization – Cisco ASA 5505 User Manual

Page 785

Advertising
background image

38-11

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 38 Configuring AAA Rules for Network Access

Configuring Authorization for Network Access

Configuring Authorization for Network Access

After a user authenticates for a given connection, the ASA can use authorization to further control traffic
from the user.

This section includes the following topics:

Configuring TACACS+ Authorization, page 38-11

Configuring RADIUS Authorization, page 38-14

Configuring TACACS+ Authorization

You can configure the ASA to perform network access authorization with TACACS+. You identify the
traffic to be authorized by specifying access lists that authorization rules must match. Alternatively, you
can identify the traffic directly in authorization rules themselves.

Tip

Using access lists to identify traffic to be authorized can greatly reduced the number of authorization
commands that you must enter. This is because each authorization rule that you enter can specify only
one source and destination subnet and service, whereas an access list can include many entries.

Authentication and authorization statements are independent; however, any unauthenticated traffic
matched by an authorization rule will be denied. For authorization to succeed:

1.

A user must first authenticate with the ASA.

Because a user at a given IP address only needs to authenticate one time for all rules and types, if
the authentication session has not expired, authorization can occur even if the traffic is not matched
by an authentication rule.

2.

After a user authenticates, the ASA checks the authorization rules for matching traffic.

3.

If the traffic matches the authorization rule, the ASA sends the username to the TACACS+ server.

4.

The TACACS+ server responds to the ASA with a permit or a deny for that traffic, based on the user
profile.

5.

The ASA enforces the authorization rule in the response.

See the documentation for your TACACS+ server for information about configuring network access
authorizations for a user.

To configure TACACS+ authorization, perform the following steps:

Advertising