Configuring Authorization

Cisco ASA supports authorization services over TACACS+ for firewall cut-through proxy sessions. It also supports authorization services over TACACS+ and its internal user database for administrative sessions. RADIUS-downloadable ACLs are also supported by Cisco ASA.


Command access is authorized by privilege level only when authorization is done against the local database.

Additionally, authorization over RADIUS, LDAP, and internal user databases is available for VPN user connections. This is used for mode-config attributes for remote-access VPN clients. Information about mode-config and its attributes is provided in Chapter 16.

The aaa authorization command enables authorization for firewall cut-through proxy and administrative sessions. The following is the syntax for this command to enable authorization for firewall cut-through proxy sessions:

 aaa authorization include | exclude svc if_name l_ip l_mask [f_ip f_mask]server_tag

Table 7-7 lists its options.

Table 7-7. aaa authorization Command Options for Firewall Cut-Through Proxy Sessions




Use this option to include authorization services for a specific host or network.


Use this option to exclude authorization services for a specific host or network.


Specifies the protocol and/or service used:

telnet, ftp, http, https, tcp/port, and tcp/0.


Name of the interface on which authorized connections are originated.


The address of the local host or network that requires authorization.


The network mask of the local host or network that requires authorization.


The address of the foreign host or network whose connections require authorization.


The network mask of the foreign host or network whose connections require authorization.


The name of the AAA server tag. For cut-through and command authorization, the server tag LOCAL can also be used. Only TACACS+ is supported for cut-through authorization.

You can also use the aaa authorization match command to define a firewall cut-through proxy session:

 aaa authorization match access_list_name if_name server_tag

The access_list_name option specifies the ACL name used to categorize which traffic requires authorization. Example 7-16 demonstrates how to use this command.

Example 7-16. Enabling Authorization Using an ACL to Define Interesting Traffic

access-list 100 extended permit ip

aaa-server mygroup protocol tacacs+

aaa-server mygroup host

 key cisco123

aaa authorization match 100 inside mygroup

In Example 7-16, access list 100 defines that all IP traffic sourced from the network destined to requires authorization. This ACL is associated to the aaa authorization match command.

Command Authorization

To configure command authorization on the Cisco ASA, the following command is used:

 aaa authorization command {LOCAL | tacacs_server_tag [LOCAL]}

The server tag LOCAL defines local command authorization. It can also be used as a fallback method in case the TACACS+ server is unreachable.


Establishing two separate sessions to the Cisco ASA is always recommended when configuring AAA authorization. The purpose of this procedure is to avoid getting locked out of the CLI. Open one session using a Telnet or SSH connection and connect to the serial console of the Cisco ASA. One of the sessions can be disconnected once the configuration is verified and tested.

When using authorization, the following attributes are passed to the TACACS+ server in the attribute payload of the authorization request message:

  • cmd The command string to be authorized (used for authorization for administrative sessions only)
  • cmd-arg The command arguments to be sent (used for authorization for administrative sessions only)
  • service The type of service for which authorization is requested

The following attributes may be received from a TACACS+ server in an authorization response message:

  • idletime Idle timeout value for firewall cut-through proxy sessions
  • timeout Absolute timeout value for firewall cut-through proxy sessions
  • acl The identifier of an ACL to be applied to a specific user

Configuring Downloadable ACLs

Cisco ASA provides support for a per-user ACL authorization by downloading an ACL from a RADIUS or TACACS+ server. This feature allows you to push an ACL to the Cisco ASA from a CiscoSecure ACS server. The downloadable ACL will work in combination with the ACLs configured in the ASA. The user traffic needs to be permitted by both ACLs in order for it to flow through the ASA. However, the per-user-override option can be configured at the end of the access-group command to bypass this requirement. The following is an example of applying the per-user-override option on an access-group command applied to the inside interface:

 access-group 100 in interface inside per-user-override

All downloadable ACLs are applied to the interface from which the user is authenticated.

Figure 7-7 illustrates an example of how downloadable ACLs work.

Figure 7-7. Downloadable ACL Example

The following are the steps listed in Figure 7-7:

  1. A user initiates a web connection to
  2. The Cisco ASA is configured to perform authentication (cut-through proxy) and prompts the user for authentication credentials.
  3. The user replies with his credentials.
  4. The Cisco ASA sends the RADIUS authentication request (Access-Accept) to the CiscoSecure ACS server.
  5. The CiscoSecure ACS server authenticates the user and sends a RADIUS response (Access-Accept) including an ACL name associated with the user.
  6. The Cisco ASA verifies whether it has an ACL named the same as the one downloaded from the CiscoSecure ACS server. There is no need to download a new ACL if there is an ACL identified with the same name.

You can configure downloadable ACLs in CiscoSecure ACS in a few different ways:

  • Configure a Shared Profile Component (SPC), including both the ACL name and the actual ACL. This allows you to apply the ACL to any number of users within CiscoSecure ACS.
  • Configure each ACL entry within a specific user profile.
  • Configure the ACLs to be applied to a specific group.

These options are supported with Cisco ASA to better fit your security policies.

Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231 © 2008-2020.
If you may any questions please contact us: