Specifications
10-5
Cisco Security Appliance Command Line Configuration Guide
OL-6721-01
Chapter 10 Configuring AAA Servers and the Local Database
AAA Server and Local Database Support
TACACS+ Server Support
The security appliance can use TACACS+ servers for the functionality described in Table 10-3. The
security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
User authentication for network
access
When a user attempts to access networks through the security appliance and the
traffic matches an authentication statement, the security appliance sends to the
RADIUS server the user credentials (typically a username and password) and grants
or denies user network access based on the response from the server.
User authorization for network access
using dynamic ACLs per user
To implement dynamic ACLs, you must configure the RADIUS server to support it.
When the user authenticates, the RADIUS server sends a downloadable ACL to the
security appliance. Access to a given service is either permitted or denied by the ACL.
The security appliance deletes the ACL when the authentication session expires.
User authorization for network access
using a downloaded ACL name per
user
To implement downloaded ACL names, you must configure the RADIUS server to
support it. When the user authenticates, the RADIUS server sends a name of an ACL.
If an ACL with the name specified exists on the security appliance, access to a given
service is either permitted or denied by the ACL. You can specify the same ACL for
multiple users.
VPN authentication When a user attempts to establish VPN access and the applicable tunnel-group record
specifies a RADIUS authentication server group, the security appliance sends to the
RADIUS server the username and password, and then grants or denies user access
based on the response from the server.
VPN authorization When user authentication for VPN access has succeeded and the applicable
tunnel-group record specifies a RADIUS authorization server group, the security
appliance sends a request to the RADIUS authorization server and applies to the VPN
session the authorizations received.
VPN accounting When user authentication for VPN access has succeeded and the applicable
tunnel-group record specifies a RADIUS accounting server group, the security
appliance sends the RADIUS server group accounting data about the VPN session.
Accounting for network access per
user or IP address
You can configure the security appliance to send accounting information to a
RADIUS server about any traffic that passes through the security appliance.
Table 10-2 RADIUS Functions (continued)
Functions Description
Table 10-3 TACACS+ Functions
Functions Description
User authentication for CLI access When a user attempts to access the security appliance with Telnet, SSH, HTTP, or a
serial console connection and the traffic matches an authentication statement, the
security appliance challenges the user for a username and password, sends these
credentials to the TACACS+ server, and grants or denies user CLI access based on the
response from the server.
User authentication for the enable
command
When a user attempts to access the enable command, the security appliance
challenges the user for a password, sends to the TACACS+ server the username and
enable password, and grants or denies user access to enable mode based on the
response from the server.