Filter
Top Products
15-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 15 Managing Firewall AAA Rules
Understanding How Users Authenticate
Users are prompted only for HTTP, HTTPS, FTP, and Telnet connections (if you configure those
protocols to require authentication). For ASA, PIX, and FWSM devices, you can also require
authentication for other protocols; however, users are not prompted for them, and so they must first
attempt one of the four supported protocols and successfully authenticate before completing connections
of any other protocol that requires authentication.
Tip For ASA, PIX, and FWSM devices, if you do not want to allow HTTP, HTTPS, Telnet, or FTP through
the security appliance but want to authenticate other types of traffic, you can require that the user
authenticate with the security appliance directly using HTTP or HTTPS by configuring the interface to
use interactive authentication (using the Firewall > Settings > AAA Firewall policy). The user would
then authenticate with the appliance before trying other connections, using one of the following URLs,
where interface_ip is the IP address of the interface and port is optionally the port number, if you specify
a non-default port for the protocol in the interactive authentication table:
http://interface_ip[:port]/netaccess/connstatus.html or
https://interface_ip[:port]/netaccess/connstatus.html.
When attempting a connection through the device, the user is prompted based on the protocol:
• HTTP—The device prompts the user with a web page to provide username and password. The user
is prompted repeatedly until successfully authorized. After the user authenticates correctly, the
device redirects the user to the original destination. If the destination server also has its own
authentication, the user enters another username and password.
For ASA, PIX, and FWSM devices, the security appliance uses basic HTTP authentication by
default, and provides an authentication prompt. You can improve the user experience by configuring
the interface for interactive authentication and specifying redirect for HTTP traffic. This redirects
the user to a web page hosted on the appliance for authentication. To configure an interface to use
interactive authentication, add the interface to the Interactive Authentication table on the Firewall
> Settings > AAA Firewall policy (see AAA Firewall Settings Page, Advanced Setting Tab,
page 15-19). Ensure that you select the HTTP and Redirect options when adding the interface.
You might want to continue to use basic HTTP authentication if: you do not want the security
appliance to open listening ports; if you use NAT on a router and you do not want to create a
translation rule for the web page served by the security appliance; basic HTTP authentication might
work better with your network. For example non-browser applications, like when a URL is
embedded in email, might be more compatible with basic authentication.
However, when using basic HTTP authentication, if the user is going to an HTTP server that requires
authentication, the same username and password used to authenticate with the appliance is sent to
the HTTP server. Thus, login to the HTTP server fails unless the same username and password are
used by the ASA and HTTP server. To avoid this problem, you must configure a virtual HTTP server
on the ASA using the virtual http command on the ASA. You can create a FlexConfig policy to do
this; the ASA_virtual pre-defined FlexConfig object provides an example that you can copy.
Tip In HTTP authentication, the username and password are transmitted in clear text. You can prevent this
by selecting the Use Secure HTTP Authentication option on the Firewall > Settings > AAA Firewall
policy. This option ensures that credentials are encrypted.
• HTTPS—The user experience for HTTPS is the same as for HTTP; the user is prompted until
successfully authorized, and then redirected to the original destination.