Introduction to PIX Security Appliance AAA Features
PIX Security Appliance authorization

PIX Security Appliance access authorization is a way of facilitating and controlling administration, who can access the security appliance and which commands they can execute. The administrator assigns commands to a privilege level. The administrator creates user accounts and links a privilege level to each user. When a console user attempts to access the security appliance console, they are prompted for a username and password. When authenticated, the console user is granted the access level privileges assigned to their user account.

If the administrator wants to allow all authenticated users to perform HTTP, HTTPS, FTP, and Telnet through the PIX Security Appliance, authentication is sufficient and authorization is not needed. But if there is reason to allow only some subset of users, or to limit users to certain sites and protocols, authorization is needed. The PIX supports two basic methods of user authorization . These two methods are as follows:

  • The PIX Security Appliance is configured with rules specifying which connections need to be authorized by the AAA server. When the first packet of a traffic flow matches a pre-defined rule, the AAA server is consulted by the PIX for access rights. The AAA server returns a permit or deny authorization message.
  • The PIX Security Appliance is configured with rules specifying which connections need to be authenticated by the AAA server. The AAA server is configured with authorization rules assigned to the authenticating user. The authorization rules come in the form of ACLs. An ACL is attached to the user or group profile, on the AAA server. When the first packet of a traffic flow matches a pre-defined rule, The AAA server is consulted by the PIX to determine whether to permit or deny the traffic. During the authentication process, if the end-user is authenticated, the Cisco ACS server downloads an ACL to the PIX. The ACL is applied to the traffic flow. Cisco ACS server has the ability to store ACLs and download them to the PIX. When a remote user attempts to establish a tunnel to the PIX, the administrator can force the tunnel user to authenticate before granting them access to the security appliance. When a tunnel user authenticates, the PIX retrieves tunnel information for the defined user, or group. The tunnel authorization information can include such information as VPN access hours, simultaneous logins, client block rules, personal computer firewall type, idle timeout, and so on. The tunnel group information is applied to the tunnel before the tunnel is fully established.