Cisco Systems and the ASA Services Module Network Router User Manual


 
7-16
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 Configuring AAA Rules for Network Access
Configuring Authorization for Network Access
Examples
The following example authenticates and authorizes inside Telnet traffic. Telnet traffic to servers other
than 209.165.201.5 can be authenticated alone, but traffic to 209.165.201.5 requires authorization.
ciscoasa(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
ciscoasa(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
ciscoasa(config)# aaa-server AuthOutbound protocol tacacs+
ciscoasa(config-aaa-server-group)# exit
ciscoasa(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
Step 5
aaa local authentication attempts max-fail number
Example:
ciscoasa(config)# aaa local authentication attempts
max-fail 7
(Optional) Uses the local database for network
access authentication and limits the number of
consecutive failed login attempts that the ASA
allows any given user account (with the exception of
users with a privilege level of 15. This feature does
not affect level 15 users). The number argument
value is between 1 and 16.
Tip To clear the lockout status of a specific user
or all users, use the clear aaa local user
lockout command.
Step 6
access-list
Example:
ciscoasa(config)# access-list TELNET_AUTH extended
permit tcp any any eq telnet
Create an ACL that identifies the source addresses
and destination addresses of traffic that you want to
authorize. For instructions, see the general
operations configuration guide.
The permit ACEs mark matching traffic for
authorization, while deny entries exclude matching
traffic from authorization. The ACL that you use for
authorization matching should include rules that are
equal to or a subset of the rules in the ACL used for
authentication matching.
Note If you have configured authentication and
want to authorize all the traffic being
authenticated, you can use the same ACL
that you created for use with the aaa
authentication match command.
Step 7
aaa authorization match acl_name interface_name
server_group
Example:
ciscoasa(config)# aaa authentication match
TELNET_AUTH inside AuthOutbound
Enables authorization.
The acl_name argument is the name of the ACL you
created in Step 6, the interface_name argument is
the name of the interface as specified with the
nameif command or by default, and the
server_group argument is the AAA server group that
you created when you enabled authentication.
Note Alternatively, you can use the aaa
authorization include command (which
identifies traffic within the command) but
you cannot use both methods in the same
configuration. See the command reference
for more information.
Command Purpose