12-20
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 12 Configuring AAA
Configuring Authentication for Network Access
Configuring Authentication for Network Access
This section includes the following topics:
• Authentication Overview, page 12-20
• Enabling Network Access Authentication, page 12-21
• Enabling Secure Authentication of Web Clients, page 12-22
Authentication Overview
The FWSM lets you configure network access authentication using RADIUS or TACACS+ servers.
Although you can configure network access authentication for any protocol or service, you can
authenticate directly with HTTP, Telnet, or FTP only. A user must first authenticate with one of these
services before other traffic that requires authentication is allowed through. If you do not want to allow
HTTP, Telnet, or FTP through the FWSM, but want to authenticate other types of traffic, you can
configure virtual Telnet; the user Telnets to a given IP address configured on the FWSM, and the FWSM
provides a Telnet prompt. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall
Services Module Command Reference for more information about the virtual telnet command.
A user at a given IP address only needs to authenticate one time for all rules and types, until the
authentication session expires. (See the timeout uauth command in the Catalyst 6500 Series Switch and
Cisco 7600 Series Router Firewall Services Module Command Reference for timeout values.) For
TACACS+
command
authorization
You are logged in
as a user without
enough privileges
or as a user that
does not exist
You enable command
authorization, but then
find that the user
cannot enter any more
commands.
Fix the TACACS+ server
user account.
If you do not have access to
the TACACS+ server and
you need to configure the
FWSM immediately, then
log into the maintenance
partition and reset the
passwords and aaa
commands. See the
“Clearing the Application
Partition Passwords and
AAA Settings” section on
page 17-9.
Session into the FWSM
from the switch. From the
system execution space, you
can change to the context
and complete the
configuration changes. You
can also disable command
authorization until you fix
the TACACS+
configuration.
Local command
authorization
You are logged in
as a user without
enough privileges
You enable command
authorization, but then
find that the user
cannot enter any more
commands.
Log into the maintenance
partition and reset the
passwords and aaa
commands. See the
“Clearing the Application
Partition Passwords and
AAA Settings” section on
page 17-9.
Session into the FWSM
from the switch. From the
system execution space, you
can change to the context
and change the user level.
Table 12-3 CLI Authentication and Command Authorization Lockout Scenarios (continued)
Feature Lockout Condition Description Workaround: Single Mode Workaround: Multiple Mode
To Next Page
Loading...
Need help?
General