Filter
Top Products
15-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 15 Managing Firewall AAA Rules
Configuring AAA Rules for ASA, PIX, and FWSM Devices
For ASA, PIX, and FWSM devices, the security appliance uses a custom login screen. Like with
HTTP, you can configure the interface to use interactive authentication, in which case HTTPS
connections use the same authentication page as HTTP connections. You must configure the
interface separately for HTTPS redirection; use the Firewall > Settings > AAA Firewall policy.
For IOS devices, HTTPS connections are authenticated only if you enable SSL on the device and
your AAA rules require HTTP authentication proxy. This configuration is explained in Configuring
AAA Rules for IOS Devices, page 15-7.
• FTP—The device prompts once for authentication. If authentication fails, the user must retry the
connection.
When prompted, the user can enter the username required for device authentication followed by an
at sign (@) and then the FTP username (name1@name2). For the password, the user would then
enter the device authentication password followed by an at sign (@) and then the FTP password
(password1@password2). For example, enter the following text.
name> asa1@partreq
password> letmein@he110
For IOS devices, this method of entering both the device and FTP credentials is required. For ASA,
PIX, and FWSM devices, this feature is useful when you have cascaded firewalls that require
multiple logins. You can separate several names and passwords by multiple at signs (@).
• Telnet—The device prompts several times for authentication. After a number of failed attempts, the
user must retry the connection. After authentication, the Telnet server prompts for its
username/password.
Configuring AAA Rules for ASA, PIX, and FWSM Devices
When you configure AAA rules for an ASA, PIX, or FWSM device, you are configuring policies that
define who is allowed to make HTTP, HTTPS, FTP, and Telnet connections through (not to) the device.
To fully configure network access authentication, you need to configure several policies, not just the
AAA rules policy.
The following procedure covers all policies you would need to configure to supply full authentication,
authorization, and accounting support for network access authentication. You do not need to configure
options for features you do not need.
Related Topics
• Understanding AAA Rules, page 15-1
• Understanding How Users Authenticate, page 15-2
• Creating a New Shared Policy, page 5-51
• Modifying Policy Assignments in Policy View, page 5-51
• Understanding Networks/Hosts Objects, page 6-74
• Understanding Interface Role Objects, page 6-67
• Understanding and Specifying Services and Service and Port List Objects, page 6-86
• Understanding AAA Server and Server Group Objects, page 6-24
• Understanding Interface Role Objects, page 6-67
Step 1 Do one of the following to open the AAA Rules Page, page 15-10: