23-2
Cisco ASDM User Guide
OL-16647-01
Chapter 23 Applying AAA for Network Access
Configuring Authentication for Network Access
Information About Authentication
The security appliance lets you configure network access authentication using AAA servers. This section
includes the following topics:
• One-Time Authentication, page 23-2
• Applications Required to Receive an Authentication Challenge, page 23-2
• Security Appliance Authentication Prompts, page 23-2
• Static PAT and HTTP, page 23-3
• Configuring Network Access Authentication, page 23-4
One-Time Authentication
A user at a given IP address only needs to authenticate one time for all rules and types, until the
authentication session expires. (See the Configuration > Firewall > Advanced > Global Timeouts pane
for timeout values.) For example, if you configure the security appliance to authenticate Telnet and FTP,
and a user first successfully authenticates for Telnet, then as long as the authentication session exists,
the user does not also have to authenticate for FTP.
Applications Required to Receive an Authentication Challenge
Although you can configure the security appliance to require authentication for network access to any
protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must
first authenticate with one of these services before the security appliance allows other traffic requiring
authentication.
The authentication ports that the security appliance supports for AAA are fixed:
• Port 21 for FTP
• Port 23 for Telnet
• Port 80 for HTTP
• Port 443 for HTTPS
Security Appliance Authentication Prompts
For Telnet and FTP, the security appliance generates an authentication prompt.
For HTTP, the security appliance uses basic HTTP authentication by default, and provides an
authentication prompt. You can optionally configure the security appliance to redirect users to an
internal web page where they can enter their username and password (configured on the Configuration
> Firewall > AAA Rules > Advanced > AAA Rules Advanced Options dialog box; see the “Enabling the
Redirection Method of Authentication for HTTP and HTTPS” section on page 23-5).
For HTTPS, the security appliance generates a custom login screen. You can optionally configure the
security appliance to redirect users to an internal web page where they can enter their username and
password (configured on the Configuration > Firewall > AAA Rules > Advanced > AAA Rules
Advanced Options dialog box; see the “Enabling the Redirection Method of Authentication for HTTP
and HTTPS” section on page 23-5).