Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Asdm 7 User Guide. The Cisco manuals for Computer Equipment are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 241

    Page 241 CH A P T E R 8-1 Cisco ASA Series Firewall ASDM Configuration Guide 8 Configuring AAA Rules for Network Access This chapter describes how to enable AAA (pronounced “triple A”) for network access. For information about AAA for management access, see the “Configuring AAA for System Administrators” section on page 96-18 in the general operations configuration guide. This chapter includes the following sections: AAA Performance, page 8-1 Licensing Requirements for AAA Rules, page 8-1 Guidelines and... 
    CH A P T E R
 
8-1
Cisco ASA Series Firewall ASDM Configuration Guide
 
8
Configuring AAA Rules for Network Access
This chapter describes how to enable AAA (pronounced “triple A”) for network access.
For information about AAA for management access, see the “Configuring AAA for System 
Administrators” section on page 96-18 in the general operations configuration guide.
This chapter includes the following sections:
AAA Performance, page 8-1
Licensing Requirements for AAA Rules, page 8-1
Guidelines and...

    Page 242

    Page 242 8-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Guidelines and Limitations Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Supports IPv6. Additional Guidelines In clustering, this feature is only supported on the master unit.... 
     
8-2
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 8      Configuring AAA Rules for Network Access
  Guidelines and Limitations
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
IPv6 Guidelines
Supports IPv6.
Additional Guidelines
In clustering, this feature is only supported on the master unit....

    Page 243

    Page 243 8-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access One-Time Authentication A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session expires. (See the Configuration > Firewall > Advanced > Global Timeouts pane for timeout values.) For example, if you configure the ASA to authenticate Telnet and FTP, and a user first... 
     
8-3
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 8      Configuring AAA Rules for Network Access
  Configuring Authentication for Network Access
One-Time Authentication
A user at a given IP address only needs to authenticate one time for all rules and types, until the 
authentication session expires. (See the Configuration > Firewall > Advanced > Global Timeouts pane 
for timeout values.) For example, if you configure the ASA to authenticate Telnet and FTP, and a user 
first...

    Page 244

    Page 244 8-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access NoteIf you use HTTP authentication, by default the username and password are sent from the client to the ASA in clear text; in addition, the username and password are sent on to the destination web server as well. See the “Enabling Secure Authentication of Web Clients” section on page 8-8 for information to secure your credentials. For FTP,... 
     
8-4
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 8      Configuring AAA Rules for Network Access
  Configuring Authentication for Network Access
NoteIf you use HTTP authentication, by default the username and password are sent from the client to the 
ASA in clear text; in addition, the username and password are sent on to the destination web server as 
well. See the “Enabling Secure Authentication of Web Clients” section on page 8-8 for information to 
secure your credentials.
For FTP,...

    Page 245

    Page 245 8-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access For Telnet and FTP traffic, users must log in through the cut-through proxy server and again to the Telnet and FTP servers. A user can specify an Active Directory domain while providing login credentials (in the format, domain\username). The ASA automatically selects the associated AAA server group for the specified domain. If a user... 
     
8-5
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 8      Configuring AAA Rules for Network Access
  Configuring Authentication for Network Access
For Telnet and FTP traffic, users must log in through the cut-through proxy server and again to the 
Telnet and FTP servers.
A user can specify an Active Directory domain while providing login credentials (in the format, 
domain\username). The ASA automatically selects the associated AAA server group for the 
specified domain.
If a user...

    Page 246

    Page 246 8-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access nat (inside,outside) static 10.48.66.155 service tcp 111 889 Then users do not see the authentication page. Instead, the ASA sends an error message to the web browser, indicating that the user must be authenticated before using the requested service. When a mapped address is used for static PAT, it is automatically placed into the dynamic PAT... 
     
8-6
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 8      Configuring AAA Rules for Network Access
  Configuring Authentication for Network Access
nat (inside,outside) static 10.48.66.155 service tcp 111 889
Then users do not see the authentication page. Instead, the ASA sends an error message to the web 
browser, indicating that the user must be authenticated before using the requested service.
When a mapped address is used for static PAT, it is automatically placed into the dynamic PAT...

    Page 247

    Page 247 8-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Step 3In the AAA Server Group drop-down list, choose a server group. To add a AAA server to the server group, click Add Server. If you chose LOCAL for the AAA server group, you can optionally add a new user by clicking Add User. See the “Adding a User Account to the Local Database” section on page 33-4 in the general operations configuration... 
     
8-7
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 8      Configuring AAA Rules for Network Access
  Configuring Authentication for Network Access
Step 3In the AAA Server Group drop-down list, choose a server group. To add a AAA server to the server 
group, click Add Server.
If you chose LOCAL for the AAA server group, you can optionally add a new user by clicking Add User. 
See the “Adding a User Account to the Local Database” section on page 33-4 in the general operations 
configuration...

    Page 248

    Page 248 8-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Step 3For the Protocol, choose either HTTP or HTTPS. You can enable both by repeating this procedure and creating two separate rules. Step 4In the Interface drop-down list, choose the interface on which you want to enable the listener. Step 5In the Port drop-down list, choose the port or enter a number. This is the port that the ASA listens... 
     
8-8
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 8      Configuring AAA Rules for Network Access
  Configuring Authentication for Network Access
Step 3For the Protocol, choose either HTTP or HTTPS. You can enable both by repeating this procedure and 
creating two separate rules.
Step 4In the Interface drop-down list, choose the interface on which you want to enable the listener.
Step 5In the Port drop-down list, choose the port or enter a number. 
This is the port that the ASA listens...

    Page 249

    Page 249 8-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access This is the only method that protects credentials between the client and the ASA, as well as between the ASA and the destination server. You can use this method alone, or in conjunction with either of the other methods so you can maximize your security. After enabling this feature, when a user requires authentication when using HTTP, the ASA... 
     
8-9
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 8      Configuring AAA Rules for Network Access
  Configuring Authentication for Network Access
This is the only method that protects credentials between the client and the ASA, as well as between 
the ASA and the destination server. You can use this method alone, or in conjunction with either of 
the other methods so you can maximize your security.
After enabling this feature, when a user requires authentication when using HTTP, the ASA...

    Page 250

    Page 250 8-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access server; you are not prompted separately for the HTTP server username and password. Assuming the username and password are not the same for the AAA and HTTP servers, then the HTTP authentication fails. This feature redirects all HTTP connections that require AAA authentication to the virtual HTTP server on the ASA. The ASA prompts for the... 
     
8-10
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 8      Configuring AAA Rules for Network Access
  Configuring Authentication for Network Access
server; you are not prompted separately for the HTTP server username and password. Assuming the 
username and password are not the same for the AAA and HTTP servers, then the HTTP authentication 
fails.
This feature redirects all HTTP connections that require AAA authentication to the virtual HTTP server 
on the ASA. The ASA prompts for the...
    Start reading Cisco Asdm 7 User Guide
    All Cisco manuals