Authorization configuration

If all authenticated users are allowed to perform all operations – HTTP, HTTPS, FTP, and Telnet – through the PIX Security Appliance, authentication is sufficient and authorization is not needed. If there is reason to allow only some subset of users or to limit users to certain sites, authorization is needed. The PIX supports the following two basic methods of user authorization when per-user access rules are specified in the context of AAA :

  • Classic user authorization – The access rules are configured on the TACACS+ AAA server and consulted on demand. With classic authorization, the PIX Security Appliance is configured with rules specifying which connections need to be authorized by the AAA server . The AAA server is consulted for access rights on demand.
  • Download of per-user ACLs – PIX Security Appliance Software Version 6.2 introduced the ability to store full ACLs on a AAA server and download them to the PIX. An ACL is attached to the user or group profile on the AAA server. During the authentication process, after the user’s credentials are authenticated, the AAA server returns the ACL to the PIX. The returned ACL is modified based on the source IP address of the authenticated user. This functionality is supported only with RADIUS.

User authorization is a two-step process. The administrator identifies the traffic flow to authorize such as all FTP traffic flows. The administrator configures the command authorization in the AAA server. The administrator can refine by group which set of can access what corporate resources. The configuration steps are as follows:

Step 1 Configure the PIX Security Appliance for authorization. The administrator can use the older form of the aaa authorization {include | exclude} command or the newer version, the aaa authorization match command.
Step 2 Define the TACACS+ AAA server group parameters. The per-group command authorization parameters include commands and arguments.
NOTE:

It is assumed that aaa authentication configuration was already completed.

Enable authorization Match
The administrator can define ACLs on the PIX Security Appliance, and then apply them to the aaa authorization match command. Any sessions matching the ACL must be authorized by the defined TACACS+ server. In the example in Figure , the three ACL statements are for any-to-any FTP, Telnet, and HTTP traffic. The ACLs are applied to the outside interface. Any traffic matching these characteristics inbound on the outside interface must be authorized by authin TACACS+ server.

Authorization of Non-Telnet, FTP, HTTP, or HTTPS Traffic
The authorization of non-Telnet, FTP, HTTP, or HTTPS is a two step process . First identify the traffic flows to be authorized. Next, define the group attributes in the TACACS+ AAA server. The syntaxes for the aaa authorization of non-Telnet, non-FTP, or non-HTTP commands are shown in Figure .

Lab Activity

e-Lab Activity: PIX Security Appliance Authorization Configuration

In this activity, the student will enable authorization and accounting.

Lab Activity

e-Lab Activity: PIX Security Appliance AAA Configuration Lab

In this activity, the student will configure the PIX Security Appliance to work with an AAA server running CSACS software.

Resources

Resource: How to Authorize Non-Telnet, FTP, or HTTP Traffic on the CSACS

Resources

Resource: How to Create Authorization Rules Allowing Services Only to Specific Hosts on the CSACS

Resources

Resource: How to Create Authorization Rules Allowing Specific Services on the CSACS