Filter
Top Products
23-7
Cisco ASDM User Guide
OL-16647-01
Chapter 23 Applying AAA for Network Access
Configuring Authentication for Network Access
Authenticating Telnet Connections with a Virtual Server
Although you can configure network access authentication for any protocol or service (see the
“Configuring Authentication for Network Access” section on page 23-1), you can authenticate directly
with HTTP, Telnet, or FTP only. A user must first authenticate with one of these services before other
traffic that requires authentication is allowed through. If you do not want to allow HTTP, Telnet, or FTP
through the security appliance, but want to authenticate other types of traffic, you can configure virtual
Telnet; the user Telnets to a given IP address configured on the security appliance, and the security
appliance provides a Telnet prompt.
You must configure authentication for Telnet access to the virtual Telnet address as well as the other
services you want to authenticate according to the “Configuring Authentication for Network Access”
section on page 23-1.
When an unauthenticated user connects to the virtual Telnet IP address, the user is challenged for a
username and password, and then authenticated by the AAA server. Once authenticated, the user sees
the message “Authentication Successful.” Then, the user can successfully access other services that
require authentication.
For inbound users (from lower security to higher security), you must also include the virtual Telnet
address as a destination interface in the Access Rule applied to the source interface. Moreover, you must
add a static NAT rule for the virtual Telnet IP address, even if NAT is not required. An identity NAT rule
is typically used (where you translate the address to itself).
For outbound users, there is an explicit permit for traffic, but if you apply an Access Rule to an inside
interface, be sure to allow access to the virtual Telnet address. A static NAT rule is not required.
To logout from the security appliance, reconnect to the virtual Telnet IP address; you are prompted to
log out.
To enable direct authentication using Telnet, perform the following steps:
Step 1 From the Configuration > Firewall > Advanced > Virtual Access > Virtual Telnet Server area, check the
Enable check box.
Step 2 In the Virtual Telnet Server field, add the IP address of the virtual Telnet server.
Make sure this address is an unused address that is routed to the security appliance. For example, if you
perform NAT for inside addresses accessing an outside server, and you want to provide outside access
to the virtual HTTP server, you can use one of the global NAT addresses for the virtual HTTP server
address.
Step 3 Click Apply.
The virtual server is added and the changes are saved to the running configuration.
Authenticating HTTP(S) Connections with a Virtual Server
When you use HTTP authentication on the security appliance (see the“Configuring Authentication for
Network Access” section on page 23-1), the security appliance uses basic HTTP authentication by
default. You can change the authentication method so that the security appliance redirects HTTP
connections to web pages generated by the security appliance itself using the “Configuring HTTP
Redirect” section on page 6-4.
However, if you continue to use basic HTTP authentication, then you might need the virtual HTTP server
when you have cascading HTTP authentications.