Cisco Systems and the ASA Services Module Network Router User Manual


 
7-5
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 Configuring AAA Rules for Network Access
Configuring Authentication for Network Access
For Telnet and FTP traffic, users must log in through the cut-through proxy server and again to the
Telnet and FTP servers.
A user can specify an Active Directory domain while providing login credentials (in the format,
domain\username). The ASA automatically selects the associated AAA server group for the
specified domain.
If a user specifies an Active Directory domain while providing login credentials (in the format,
domain\username), the ASA parses the domain and uses it to select an authentication server from
the AAA servers that have been configured for the identity firewall. Only the username is passed to
the AAA server.
If the backslash (\) delimiter is not found in the login credentials, the ASA does not parse the domain
and authentication is conducted with the AAA server that corresponds to the default domain
configured for the identity firewall.
If a default domain or a server group is not configured for that default domain, the ASA rejects the
authentication.
If the domain is not specified, the ASA selects the AAA server group for the default domain that is
configured for the identity firewall.
AAA Rules as a Backup Authentication Method
An authentication rule (also known as “cut-through proxy”) controls network access based on the user.
Because this function is very similar to an access rule plus an identity firewall, AAA rules can now be
used as a backup method of authentication if a user AD login expires or a valid user has not yet logged
into AD. For example, for any user without a valid login, you can trigger a AAA rule. To ensure that the
AAA rule is only triggered for users that do not have valid logins, you can specify special usernames in
the extended ACL that are used for the access rule and for the AAA rule: None (users without a valid
login) and Any (users with a valid login). In the access rule, configure your policy as usual for users and
groups, but then include a rule that permits all None users before deny any any; you must permit these
users so they can later trigger a AAA rule. Then, configure a AAA rule that does not match Any users
(these users are not subject to the AAA rule, and were handled already by the access rule), but matches
all None users only to trigger AAA authentication for these users. After the user has successfully logged
in via cut-through proxy, the traffic will flow normally again.
Static PAT and HTTP
For HTTP authentication, the ASA checks real ports when static PAT is configured. If it detects traffic
destined for real port 80, regardless of the mapped port, the ASA intercepts the HTTP connection and
enforces authentication.
For example, assume that outside TCP port 889 is translated to port 80 and that any relevant ACLs permit
the traffic:
object network obj-192.168.123.10-01
host 192.168.123.10
nat (inside,outside) static 10.48.66.155 service tcp 80 889
Then when users try to access 10.48.66.155 on port 889, the ASA intercepts the traffic and enforces
HTTP authentication. Users see the HTTP authentication page in their web browsers before the ASA
allows HTTP connection to complete.
If the local port is different than port 80, as in the following example:
object network obj-192.168.123.10-02
host 192.168.123.10