Support User Manuals

Cisco Systems ASA 5555-X Network Router User Manual

Open as PDF

of 712

7-8

Cisco ASA Series Firewall CLI Configuration Guide

Chapter 7 Configuring AAA Rules for Network Access

Configuring Authentication for Network Access

Examples

The following example authenticates all inside HTTP traffic and SMTP traffic:

ciscoasa(config)# aaa-server AuthOutbound protocol tacacs+

ciscoasa(config-aaa-server-group)# exit

ciscoasa(config)# aaa-server AuthOutbound (inside) host 10.1.1.1

ciscoasa(config-aaa-server-host)# key TACPlusUauthKey

ciscoasa(config-aaa-server-host)# exit

ciscoasa(config)# access-list MAIL_AUTH extended permit tcp any any eq smtp

ciscoasa(config)# access-list MAIL_AUTH extended permit tcp any any eq www

ciscoasa(config)# aaa authentication match MAIL_AUTH inside AuthOutbound

ciscoasa(config)# aaa authentication listener http inside redirect

The following example authenticates Telnet traffic from the outside interface to a particular server

(209.165.201.5):

ciscoasa(config)# aaa-server AuthInbound protocol tacacs+

ciscoasa(config-aaa-server-group)# exit

ciscoasa(config)# aaa-server AuthInbound (inside) host 10.1.1.1

ciscoasa(config-aaa-server-host)# key TACPlusUauthKey

ciscoasa(config-aaa-server-host)# exit

ciscoasa(config)# access-list TELNET_AUTH extended permit tcp any host 209.165.201.5

eq

telnet

ciscoasa(config)# aaa authentication match TELNET_AUTH outside AuthInbound

Step 4

aaa authentication listener http[s] interface_name

[port portnum] redirect

Example:

ciscoasa(config)# aaa authentication listener http

inside redirect

(Optional) Enables the redirection method of

authentication for HTTP or HTTPS connections.

The interface_name argument is the interface on

which you want to enable listening ports. The port

portnum argument specifies the port number on

which the ASA listens; the defaults are 80 (HTTP)

and 443 (HTTPS).

You can use any port number and retain the same

functionality, but be sure your direct authentication

users know the port number; redirected traffic is sent

to the correct port number automatically, but direct

authenticators must specify the port number

manually.

Enter this command separately for HTTP and for

HTTPS.

Step 5

aaa local authentication attempts max-fail number

Example:

ciscoasa(config)# aaa local authentication attempts

max-fail 7

(Optional) Uses the local database for network

access authentication and limits the number of

consecutive failed login attempts that the ASA

allows any given user account (with the exception of

users with a privilege level of 15. This feature does

not affect level 15 users). The number argument

value is between 1 and 16.

Tip To clear the lockout status of a specific user

or all users, use the clear aaa local user

lockout command.

Command Purpose

previous next