Filter
Top Products
23-6
Cisco ASDM User Guide
OL-16647-01
Chapter 23 Applying AAA for Network Access
Configuring Authentication for Network Access
• Enabling Virtual HTTP—Virtual HTTP lets you authenticate separately with the security appliance
and with the HTTP server. Even if the HTTP server does not need a second authentication, this
feature achieves the effect of stripping the basic authentication credentials from the HTTP GET
request. See the “Authenticating HTTP(S) Connections with a Virtual Server” section on page 23-7
for more information.
• Enabling the Exchange of Usernames and Passwords Using HTTPS—To enable the exchange of
usernames and passwords between a web client and the security appliance with HTTPS, perform the
following steps:
a. From the Configuration > Firewall > AAA Rules pane, click Advanced. The AAA Rules
Advanced Options dialog box appears.
b. Under Secure HTTP, click Enable Secure HTTP.
c. Click OK, and then click OK to exit the AAA Rules Advanced Options dialog box. Click
Apply.
This is the only method that protects credentials between the client and the security appliance, as
well as between the security appliance and the destination server. You can use this method alone, or
in conjunction with either of the other methods so you can maximize your security.
After enabling this feature, when a user requires authentication when using HTTP, the security
appliance redirects the HTTP user to an HTTPS prompt. After you authenticate correctly, the
security appliance redirects you to the original HTTP URL.
Secured web-client authentication has the following limitations:
–
A maximum of 16 concurrent HTTPS authentication sessions are allowed. If all 16 HTTPS
authentication processes are running, a new connection requiring authentication will not
succeed.
–
When the uauth timeout is set to unlimited, HTTPS authentication might not work. If a browser
initiates multiple TCP connections to load a web page after HTTPS authentication, the first
connection is let through, but the subsequent connections trigger authentication. As a result,
users are continuously presented with an authentication page, even if the correct username and
password are entered each time. To work around this, set the uauth timeout to 1 second (see the
Configuration > Firewall > Advanced > Global Timeouts pane). However, this workaround
opens a 1-second window of opportunity that might allow non-authenticated users to go through
the firewall if they are coming from the same source IP address.
–
Because HTTPS authentication occurs on the SSL port 443, users must not configure an Access
Rule to block traffic from the HTTP client to HTTP server on port 443. Furthermore, if static
PAT is configured for web traffic on port 80, it must also be configured for the SSL port.
Authenticating Directly with the Security Appliance
If you do not want to allow HTTP, HTTPS, Telnet, or FTP through the security appliance but want to
authenticate other types of traffic, you can authenticate with the security appliance directly using HTTP,
HTTPS, or Telnet.
• Authenticating Telnet Connections with a Virtual Server, page 23-7
• Authenticating HTTP(S) Connections with a Virtual Server, page 23-7