33-2
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 33 Configuring AAA Rules for Network Access
Configuring Authentication for Network Access
Information About Authentication
The adaptive security appliance lets you configure network access authentication using AAA servers.
This section includes the following topics:
• One-Time Authentication, page 33-2
• Applications Required to Receive an Authentication Challenge, page 33-2
• Adaptive Security Appliance Authentication Prompts, page 33-2
• Static PAT and HTTP, page 33-3
• Authenticating Telnet Connections with a Virtual Server, page 33-7
• Authenticating HTTP(S) Connections with a Virtual Server, page 33-7
One-Time Authentication
A user at a given IP address only needs to authenticate one time for all rules and types, until the
authentication session expires. (See the Configuration > Firewall > Advanced > Global Timeouts pane
for timeout values.) For example, if you configure the adaptive security appliance to authenticate Telnet
and FTP, and a user first successfully authenticates for Telnet, then as long as the authentication session
exists, the user does not also have to authenticate for FTP.
Applications Required to Receive an Authentication Challenge
Although you can configure the adaptive security appliance to require authentication for network access
to any protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A
user must first authenticate with one of these services before the adaptive security appliance allows other
traffic requiring authentication.
The authentication ports that the adaptive security appliance supports for AAA are fixed:
• Port 21 for FTP
• Port 23 for Telnet
• Port 80 for HTTP
• Port 443 for HTTPS
Adaptive Security Appliance Authentication Prompts
For Telnet and FTP, the adaptive security appliance generates an authentication prompt.
For HTTP, the adaptive security appliance uses basic HTTP authentication by default, and provides an
authentication prompt. You can optionally configure the adaptive security appliance to redirect users to
an internal web page where they can enter their username and password (configured on the Configuration
> Firewall > AAA Rules > Advanced > AAA Rules Advanced Options dialog box; see the “Enabling the
Redirection Method of Authentication for HTTP and HTTPS” section on page 33-5).
For HTTPS, the adaptive security appliance generates a custom login screen. You can optionally
configure the adaptive security appliance to redirect users to an internal web page where they can enter
their username and password (configured on the Configuration > Firewall > AAA Rules > Advanced >
AAA Rules Advanced Options dialog box; see the “Enabling the Redirection Method of Authentication
for HTTP and HTTPS” section on page 33-5).
To Next Page
Loading...
Need help?
General
