Filter
Top Products
7-15
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 Configuring AAA Rules for Network Access
Configuring Authorization for Network Access
To configure TACACS+ authorization, perform the following steps:
Command Purpose
Step 1
aaa-server
Example:
ciscoasa(config)# aaa-server AuthOutbound protocol
tacacs+
Identifies your AAA servers. If you have already
identified them, continue to the next step.
Step 2
access-list
Example:
ciscoasa(config)# access-list MAIL_AUTH extended
permit tcp any any eq smtp
Creates an ACL that identifies the source addresses
and destination addresses of traffic you want to
authenticate. For details, see the general operations
configuration guide.
The permit ACEs mark matching traffic for
authentication, while deny entries exclude matching
traffic from authentication. Be sure to include the
destination ports for either HTTP, HTTPS, Telnet, or
FTP in the ACL, because the user must authenticate
with one of these services before other services are
allowed through the ASA.
Step 3
aaa authentication match acl_name interface_name
server_group
Example:
ciscoasa(config)# aaa authentication match MAIL_AUTH
inside AuthOutbound
Configures authentication. The acl_name argument
is the name of the ACL that you created in Step 2.,
The interface_name argument is the name of the
interface specified with the nameif command, and
the server_group argument is the AAA server group
that you created in Step 1.
Note You can alternatively use the aaa
authentication include command (which
identifies traffic within the command).
However, you cannot use both methods in
the same configuration. See the command
reference for more information.
Step 4
aaa authentication listener http[s] interface_name
[port portnum] redirect
Example:
ciscoasa(config)# aaa authentication listener http
inside redirect
(Optional) Enables the redirection method of
authentication for HTTP or HTTPS connections.
The interface_name argument is the interface on
which you want to enable listening ports. The port
portnum argument specifies the port number on
which the ASA listens; the defaults are 80 (HTTP)
and 443 (HTTPS).
You can use any port number and retain the same
functionality, but be sure your direct authentication
users know the port number; redirected traffic is sent
to the correct port number automatically, but direct
authenticators must specify the port number
manually.
Enter this command separately for HTTP and for
HTTPS.