Configuring Authorization
When discussing authorization, you should first understand the difference between
authentication and authorization:
■ Authentication identifies who the user is.
■ Authorization determines what the user can do.
■ Authentication can be implemented without authorization.
■ Authorization cannot be used unless the user has successfully authenticated.
Authorization is not a requirement but rather a method of allowing you to become more
granular in what access you give specific users. After users have successfully authenticated,
they can be given the access they have requested. This access is configured using the aaa
authorization command, the syntax for which is very similar to the aaa authentication
command, except for the service. The Security Appliance does not permit or deny any traffic
based solely on the aaa authorization commands. This configuration merely tells the firewall
which services it needs to reference the AAA server for authorization before allowing or
denying the connection. A TACACS+ server performs AAA authorization. The server is
configured using the following syntax:
aaa authorization include | exclude svc if-name local-ip
local-mask foreign-ip foreign-mask
tacacs-server-tag specifies the TACACS+ server to be used for authorization