If all authenticated users are allowed to perform all operations –
HTTP, HTTPS, FTP, and Telnet – through the PIX Security Appliance,
authentication is sufficient and authorization is not needed. If there is
reason to allow only some subset of users or to limit users to certain sites,
authorization is needed. The PIX supports the following two basic methods of
user authorization when per-user access rules are specified in the context of
AAA
:
- Classic user authorization – The access rules are configured on the TACACS+
AAA server and consulted on demand. With classic authorization, the PIX
Security Appliance is configured with rules specifying which connections need
to be authorized by the AAA server
. The AAA
server is consulted for access rights on demand.
- Download of per-user ACLs – PIX Security Appliance Software Version 6.2
introduced the ability to store full ACLs on a AAA server and download them to
the PIX. An ACL is attached to the user or group profile on the AAA server.
During the authentication process, after the user’s credentials are
authenticated, the AAA server returns the ACL to the PIX. The returned ACL is
modified based on the source IP address of the authenticated user. This
functionality is supported only with RADIUS.
User authorization is a two-step process. The administrator identifies
the traffic flow to authorize such as all FTP traffic flows. The administrator
configures the command authorization in the AAA server. The administrator can
refine by group which set of can access what corporate resources. The
configuration steps are as follows:
Step 1 Configure the
PIX Security Appliance for authorization. The administrator can use the older
form of the aaa authorization {include | exclude} command
or the newer version, the aaa authorization match
command.
Step 2 Define the TACACS+ AAA server
group parameters. The per-group command authorization
parameters include commands and arguments.
 |
NOTE:
It is assumed that aaa authentication
configuration was already completed.
|
Enable authorization Match
The administrator can define
ACLs on the PIX Security Appliance, and then apply them to the aaa
authorization match command. Any sessions matching the ACL must be
authorized by the defined TACACS+ server. In the example in Figure
, the three ACL
statements are for any-to-any FTP, Telnet, and HTTP traffic. The ACLs are
applied to the outside interface. Any traffic matching these characteristics
inbound on the outside interface must be authorized by authin TACACS+
server.
Authorization of Non-Telnet, FTP, HTTP, or HTTPS
Traffic
The authorization of non-Telnet, FTP, HTTP, or HTTPS is a two
step process
. First identify
the traffic flows to be authorized. Next, define the group attributes in the
TACACS+ AAA server. The syntaxes for the aaa authorization
of non-Telnet, non-FTP, or non-HTTP commands are shown in Figure
.