AAA and the Cisco Security Appliance
So how does the Security Appliance factor into the AAA equation? Any user who requests
access or a service that is configured for authentication and who goes through the Security
Appliance is prompted by the firewall for a username and password. If the Security Appliance
has a local database configured for user authentication, it matches this user information
against that database and permits or denies access.
In a Security Appliance, the local database can be used only for console authorization and
command authorization. If the Security Appliance is configured to use a separate AAA server,
it forwards the user information to that server for authentication and authorization. In this
case, the Security Appliance and the AAA server act in a client/server mode, with the Security
Appliance being the client. The Security Appliance acts as a network access server (NAS) but
operates as a client to the AAA server. It is a common practice to configure redundant AAA
servers. It is also possible to configure a local database on the Security Appliance for use
when no other AAA servers can be contacted.
Remember that the AAA server not only authenticates the user but also tells the firewall what
the user is authorized to do. If a user is authorized to access websites via HTTP and attempts
to connect to the same servers over FTP, that connection is dropped at the firewall even
though that user has been authenticated. Additionally, the AAA server should log the fact
that the user attempted to make a connection that was outside the user’s authority. The use
of specific authorization and accounting functions is not a prerequisite for the use of
authentication. It is possible to configure only authentication, which by default authorizes
access to authenticated users.