15-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 15 Managing Firewall AAA Rules
Configuring AAA Rules for ASA, PIX, and FWSM Devices
and successfully authenticate (and be authorized, if you include that action) before any other types
of connections are allowed. For accounting rules, you can specify any TCP or UDP service (or
simply TCP and UDP themselves), if you want to account for all types of traffic.
• AAA Server Group—The AAA server group policy object to be used for authentication,
authorization, or accounting. If the rule applies more than one of these actions, the server group must
support all selected actions. For example, only TACACS+ servers can provide services for
authorization rules (although using RADIUS for authentication rules automatically includes
RADIUS authorization), and only TACACS+ and RADIUS servers can provide accounting services.
If you want to use different server groups for particular actions, define separate rules for each type
of action that requires different groups.
• Interfaces—The interface or interface role for which you are configuring the rule.
Click OK when you are finished defining your rule.
Step 4 If you did not select the right row before adding the rule, select the new rule and use the up and down
arrow buttons to position the rule appropriately. For more information, see Moving Rules and the
Importance of Rule Order, page 12-19.
Step 5 Select Firewall > Settings > AAA Firewall (in Device or Policy view) to open the AAA Firewall
Settings Page, Advanced Setting Tab, page 15-19. Configure the AAA firewall settings:
• If you configured rules for HTTP authentication, you should select Use Secure HTTP
Authentication. This ensures that the username and password entered for HTTP authentication are
encrypted. If you do not select this option, the credentials are sent in clear text, which is insecure.
Tip If you select this option, ensure that you do not configure 0 for the user authentication timeout
(timeout uauth 0, configured in the Platform > Security > Timeouts policy), or users might
be repeatedly prompted for authentication, making the feature disruptive to your network.
• If you configured authentication for HTTP or HTTPS traffic on an interface, you should consider
adding the interface to the Interactive Authentication table. When you enable an interface for
interactive authentication, users get an improved authorization web page, one that is the same for
both HTTP and HTTPS.
Click Add Row to add the interface to the table. Select whether the interface should listen for HTTP
or HTTPS traffic (add the interface twice to listen for both protocols), and the port to listen on if not
the default port for the protocol (80 and 443, respectively). Select Redirect network users for
authentication request so that network access traffic gets the improved authentication prompt; if
you do not select the option, only users trying to log into the device get the prompt.
Note You might want to continue to use basic HTTP authentication if: you do not want the
security appliance to open listening ports; if you use NAT on a router and you do not
want to create a translation rule for the web page served by the security appliance; basic
HTTP authentication might work better with your network. For example non-browser
applications, like when a URL is embedded in email, might be more compatible with
basic authentication.
• For FWSM devices, you can also disable the authentication challenge for protocols you have
otherwise configured to require authentication. You can also add interfaces to the Clear Connections
table to ensure that active connections for users whose authentication has timed out are cleared and
do not hang.