19-2
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 19 Applying AAA for Network Access
Configuring Authentication for Network Access
Authentication Overview
The security appliance lets you configure network access authentication using AAA servers. This section
includes the following topics:
• One-Time Authentication, page 19-2
• Applications Required to Receive an Authentication Challenge, page 19-2
• Static PAT and HTTP, page 19-3
• Authenticating Directly with the Security Appliance, page 19-3
One-Time Authentication
A user at a given IP address only needs to authenticate one time for all rules and types, until the
authentication session expires. (See the timeout uauth command in the Cisco Security Appliance
Command Reference for timeout values.) For example, if you configure the security appliance to
authenticate Telnet and FTP, and a user first successfully authenticates for Telnet, then as long as the
authentication session exists, the user does not also have to authenticate for FTP.
Applications Required to Receive an Authentication Challenge
Although you can configure the security appliance to require authentication for network access to any
protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must
first authenticate with one of these services before the security appliance allows other traffic requiring
authentication.
The authentication ports that the security appliance supports for AAA are fixed:
• Port 21 for FTP
• Port 23 for Telnet
• Port 80 for HTTP
• Port 443 for HTTPS
For Telnet, HTTP, HTTPS, and FTP, the security appliance generates an authentication prompt (Telnet
and FTP) or redirects you to an internal web page where you can enter your username and password
(HTTP and HTTPS). After you authenticate correctly, the security appliance redirects you to your
original destination. If the destination server also has its own authentication, the user enters another
username and password.
Note If you use HTTP authentication without using the aaa authentication secure-http-client command, the
username and password are sent from the client to the security appliance in clear text. We recommend
that you use the aaa authentication secure-http-client command whenever you enable HTTP
authentication. For more information about the aaa authentication secure-http-client command, see
the “Enabling Secure Authentication of Web Clients” section on page 19-5.
For FTP, a user has the option of entering the security appliance username followed by an at sign (@)
and then the FTP username (name1@name2). For the password, the user enters the security appliance
password followed by an at sign (@) and then the FTP password (password1@password2). For example,
enter the following text.
name> jamiec@jchrichton
password> letmein@he110
To Next Page
Loading...
Need help?
General