pix firewall provides integration with aaa (authentication, accounting, and authorization) services.

    aaa services are provided by tacacs+ or radius servers.

    pix firewall lets you define separate groups of tacacs+ or radius servers for specifying different types of traffic; such as, a tacacs+ server for inbound traffic and another for outbound traffic.

    aaa server groups are defined by a tag name that directs different types of traffic to each authentication server. if accounting is in effect, the accounting information goes to the active server.

    the pix firewall allows a radius server to send user group attributes to the pix firewall in the radius authentication response message. the pix firewall then matches an access list to the attribute and determines radius authorization from the access list. after the pix firewall authenticates a user, it uses the ciscosecure acl attribute returned by the authentication server to identify an access list for a given user group.