8-3
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 8 Configuring AAA Rules for Network Access
Configuring Authentication for Network Access
One-Time Authentication
A user at a given IP address only needs to authenticate one time for all rules and types, until the
authentication session expires. (See the Configuration > Firewall > Advanced > Global Timeouts pane
for timeout values.) For example, if you configure the ASA to authenticate Telnet and FTP, and a user
first successfully authenticates for Telnet, then as long as the authentication session exists, the user does
not also have to authenticate for FTP.
Applications Required to Receive an Authentication Challenge
Although you can configure the ASA to require authentication for network access to any protocol or
service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must first
authenticate with one of these services before the ASA allows other traffic requiring authentication.
The authentication ports that the ASA supports for AAA are fixed as follows:
• Port 21 for FTP
• Port 23 for Telnet
• Port 80 for HTTP
• Port 443 for HTTPS
ASA Authentication Prompts
For Telnet and FTP, the ASA generates an authentication prompt.
For HTTP, the ASA uses basic HTTP authentication by default, and provides an authentication prompt.
You can optionally configure the ASA to redirect users to an internal web page where they can enter their
username and password (configured in the Configuration > Firewall > AAA Rules > Advanced > AAA
Rules Advanced Options dialog box; see the “Enabling the Redirection Method of Authentication for
HTTP and HTTPS” section on page 8-7).
For HTTPS, the ASA generates a custom login screen. You can optionally configure the ASA to redirect
users to an internal web page where they can enter their username and password (configured in the
Configuration > Firewall > AAA Rules > Advanced > AAA Rules Advanced Options dialog box; see the
“Enabling the Redirection Method of Authentication for HTTP and HTTPS” section on page 8-7).
Redirection is an improvement over the basic method because it provides an improved user experience
during authentication, and an identical user experience for HTTP and HTTPS in both Easy VPN and
firewall modes. It also supports authentication directly with the ASA.
You might want to continue to use basic HTTP authentication for the following reasons:
• You do not want the ASA to open listening ports.
• You use NAT on a router and you do not want to create a translation rule for the web page served by
the ASA.
• Basic HTTP authentication might work better with your network.
For example non-browser applications, as when a URL is embedded in e-mail, might be more compatible
with basic authentication.
After you authenticate correctly, the ASA redirects you to your original destination. If the destination
server also has its own authentication, the user enters another username and password. If you use basic
HTTP authentication and need to enter another username and password for the destination server, then
you need to configure virtual HTTP (see the Configuration >Firewall > Advanced Options > Virtual
Access pane).