Filter
Top Products
23-5
Cisco ASDM User Guide
OL-16647-01
Chapter 23 Applying AAA for Network Access
Configuring Authentication for Network Access
Enabling the Redirection Method of Authentication for HTTP and HTTPS
This method of authentication enables HTTP(S) listening ports to authenticate network users. When you
enable a listening port, the security appliance serves an authentication page for direct connections and,
by enabling redirection, for through traffic. This method also prevents the authentication credentials
from continuing to the destination server. See the “Security Appliance Authentication Prompts” section
on page 23-2 for more information about the redirection method versus the basic method.
To enable a AAA listener, perform the following steps:
Step 1 From the Configuration > Firewall > AAA Rules pane, click Advanced.
The AAA Rules Advanced Options dialog box appears.
Step 2 Under Interactive Authentication, click Add.
The Add Interactive Authentication Entry dialog box appears.
Step 3 For the Protocol, choose either HTTP or HTTPS. You can enable both by repeating this procedure and
creating two separate rules.
Step 4 From the Interface drop-down list, choose the interface on which you want to enable the listener.
Step 5 From the Port drop-down list, choose the port or enter a number.
This is the port that the security appliance listens on for direct or redirected traffic; the defaults are 80
(HTTP) and 443 (HTTPS). You can use any port number and retain the same functionality, but be sure
your direct authentication users know the port number; redirected traffic is sent to the correct port
number automatically, but direct authenticators must specify the port number manually.
Step 6 (Optional) Check Redirect network users for authentication request.
This option redirects through traffic to an authentication web page served by the security appliance.
Without this option, only traffic directed to the security appliance interface can access the authentication
web pages.
Note If you enable the redirect option, you cannot also configure static PAT for the same interface
where you translate the interface IP address and the same port that is used for the listener; NAT
succeeds, but authentication fails.
Step 7 Click OK, and then click OK to exit the AAA Rules Advanced Options dialog box.
Step 8 Click Apply.
Enabling Secure Authentication of Web Clients
If you use HTTP authentication, by default the username and password are sent from the client to the
security appliance in clear text; in addition, the username and password are sent on to the destination
web server as well. The security appliance provides several methods of securing HTTP authentication,
including the following methods:
• Enable the redirection method of authentication for HTTP—See the “Enabling the Redirection
Method of Authentication for HTTP and HTTPS” section on page 23-5. This method prevents the
authentication credentials from continuing to the destination server.