PIX Security Appliance access authorization is a way of facilitating and
controlling administration, who can access the security appliance and which
commands they can execute. The administrator assigns commands to a privilege
level. The administrator creates user accounts and links a privilege level to
each user. When a console user attempts to access the security appliance
console, they are prompted for a username and password. When authenticated, the
console user is granted the access level privileges assigned to their user
account.
If the administrator wants to allow all authenticated users to
perform HTTP, HTTPS, FTP, and Telnet through the PIX Security Appliance,
authentication is sufficient and authorization is not needed. But if there is
reason to allow only some subset of users, or to limit users to certain sites
and protocols, authorization is needed. The PIX supports two basic methods of
user authorization
. These two
methods are as follows:
- The PIX Security Appliance is configured with rules specifying which
connections need to be authorized by the AAA server. When the first packet of a
traffic flow matches a pre-defined rule, the AAA server is consulted by the PIX
for access rights. The AAA server returns a permit or deny authorization
message.
- The PIX Security Appliance is configured with rules specifying which
connections need to be authenticated by the AAA server. The AAA server is
configured with authorization rules assigned to the authenticating user. The
authorization rules come in the form of ACLs. An ACL is attached to the user or
group profile, on the AAA server. When the first packet of a traffic flow
matches a pre-defined rule, The AAA server is consulted by the PIX to determine
whether to permit or deny the traffic. During the authentication process, if
the end-user is authenticated, the Cisco ACS server downloads an ACL to the
PIX. The ACL is applied to the traffic flow. Cisco ACS server has the ability
to store ACLs and download them to the PIX. When a remote user attempts to
establish a tunnel to the PIX, the administrator can force the tunnel user to
authenticate before granting them access to the security appliance. When a
tunnel user authenticates, the PIX retrieves tunnel information for the defined
user, or group. The tunnel authorization information can include such
information as VPN access hours, simultaneous logins, client block rules,
personal computer firewall type, idle timeout, and so on. The tunnel group
information is applied to the tunnel before the tunnel is fully
established.