12-4
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 12 Configuring AAA
AAA Overview
AAA Server and Local Database Support
The FWSM supports AAA servers and a local database that is stored on the FWSM. Each server type
and local database provides different functionality (see Table 12-1).
Table 12-1 AAA Server and Local Database Support
Server/Database Type Functionality Description
RADIUS User authentication for CLI access When a user attempts to access the FWSM for Telnet, SSH,
or HTTP, the FWSM consults the RADIUS server for the
username and password.
User authentication for the enable
command
When a user attempts to access the enable command, the
FWSM consults the RADIUS server for the username and
password.
User authentication for network
access
When a user attempts to access networks through the FWSM,
and the traffic matches an authentication statement, the
FWSM consults the RADIUS server for the username and
password.
User authorization for network access
using downloaded ACLs per user
(dynamic ACLs)
This user authorization occurs automatically when you
configure authentication, but you must configure the
RADIUS server to support it. When the user authenticates on
the FWSM, the RADIUS server sends a dynamic ACL to the
FWSM. The user’s access to a given service is either
permitted or denied by the ACL. The FWSM deletes the ACL
when the authentication session expires.
User authorization for network access
using a downloaded ACL name per
user
This user authorization occurs implicitly when you configure
authentication, but you must configure the RADIUS server to
support it. When the user authenticates on the FWSM, the
RADIUS server sends a name of an ACL that is already
defined on the FWSM. The user’s access to a given service is
either permitted or denied by the ACL. You can specify the
same ACL for multiple users.
VPN client authentication When you configure VPN management access using the
VPN client, you can use a RADIUS server to authenticate the
client. (See the “Configuring VPN Client Access” section on
page 11-7 for more information.)
Accounting for network access per
user or IP address
You can configure the FWSM to send accounting information
to the RADIUS server about any traffic that passes through
the FWSM.
To Next Page
Loading...
Need help?
General