A 15fX

Cii"i,!"" Group Setup

^Select IOS CommandsJ

Select Deny

Select Command

Enter allowable service

Select Deny

o14Jav Ai » 11 Setting t

Enter allowable destination hostsj]

Click Submit to add more rules

Click Submit + Restart when finished~J

^Select IOS CommandsJ

Select Deny o14Jav Ai » 11 Setting t

Select Command

Enter allowable service

Enter allowable destination hostsj]

Select Deny

Click Submit to add more rules

Click Submit + Restart when finished~J

specified protocol has been selected under Hetwoih r.niifi;i■■■ ition. Forexample, RADIUS settings appear t jl

©2000, Cisco Systems,

Complete the following steps to add authorization rules for services to specific hosts in Cisco Secure ACS:

Step 1 In the navigation bar, click Group Setup. The Group Setup window opens.

Step 2 Scroll down in Group Setup until you find IOS Commands.

Step 3 Select IOS Commands.

Step 4 Under Unmatched Cisco IOS commands, select Deny Step 5 Select Command.

Step 6 Enter the allowable service: ftp, telnet, or http.

Step 7 In the Arguments field, enter the IP addresses of the host that users are authorized to go to. Use the following format:

permit ipaddr (where ipaddr is the IP address fithe host) Step 8 Under Unlisted arguments, select Deny

Step 9 Click Submit to add more rules, or click Submit + Restart when finished.

Authorization of Non-Telnet, FTP, or HTTP Traffic pixfirewall (config)#

aaa authorization include | exclude author_service inbound |

outbound | if_name local_ip local_mask fore±gn_±p foreign_ma.sk • author_service = protocol/port

- protocol: tcp (8), udp (17), icmp (1), or others (protocol #)

• single port (e.g., 53), port range (e.g., 2000-2050), or port 0 (all ports)

• ICMP message type (8 = echo request, 0 = echo reply)

• port is not used for protocols other than TCP, UDP, or ICMP

pixfirewall(config)# aaa authorization include udp/0 inbound

0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS pixfirewall(config)# aaa authorization include tcp/30-100 outbound

0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS pixfirewall(config)# aaa authorization include icmp/8 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

©2000, Cisco Systems,

The syntax of the aaa authorization of non-Telnet, FTP, or HTTP command is as follows:

aaa authorization include | exclude authorservice inbound | outbound | ifname localip localmask foreignip foreignmask no aaa authorization [include | exclude author service inbound | outbound | if name local ip localmask foreignip foreignmask]

clear aaa [authorization [include | exclude author service inbound | outbound | if name local ip localmask foreign_ip foreignmask]]

Argument

Description

include author_service

The services which require authorization. Use protocol or port. Services not specified are authorized implicitly. Services specified in the aaa authentication command do not affect the services that require authorization.

exclude author_service

Create an exception to a previously stated rule by excluding the specified service from authorization to the specified host or networks.

inbound

Authenticate or authorize inbound connections. Inbound means the connection originates on the outside interface and is being directed to the inside or any other perimeter interface.

outbound

Authenticate or authorize outbound connections. Outbound means the connection originates on the inside and is being directed to the outside or any other perimeter interface.

Argument

Description

if_name

Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip address to determine where access is sought and from whom.

local_ip

The IP address of the host or network of hosts that you want to be authenticated or authorized. You can set this address to 0 to mean all hosts and to let the authentication server decide which hosts are authenticated.

local_mask

Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.

foreign_ip

The IP address of the hosts you want to access the local_ip address. Use 0 to mean all hosts.

foreign_mask

Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.

Authorization of Non-Telnet, FTP, or HTTP Traffic on CSACS-NT

-1} I External User

Documentation

Group Setup

Group Setup

-1} I External User

Documentation

Click Submit to add more rules~] Click Submit + Restart when finished J

Submit I

Submit + Restart authorisations are displayed for a configuration and to simplify the interlace, Cisco Secure ACS displays only fhe information for the current

Click Submit to add more rules~] Click Submit + Restart when finished J

Submit I

Submit + Restart authorisations are displayed for a configuration and to simplify the interlace, Cisco Secure ACS displays only fhe information for the current

©2000, Cisco Systems,

CSPFA1.01-4-28

Complete the following steps to add authorization rules for specific non-telnet, FTP, or HTTP services in Cisco Secure ACS:

Step 1 In the navigation bar, click Group Setup. The Group Setup window opens.

Step 2 Scroll down in Group Setup until you find IOS Commands.

Step 3 Select IOS Commands.

Step 4 Under Unmatched Cisco IOS commands, select Deny

Step 5 Select Command.

Step 6 Enter an allowable service using the following format: protocol or port (where protocol is the protocol number and port is the port number).

Step 7 Leave the Arguments field blank.

Step 8 Under Unlisted arguments, select Permit.

Step 9 Click Submit to add more rules, or click Submit + Restart when finished.

0 0

Post a comment