Enabling secure authentication of web clients – Cisco ASA 5505 User Manual
Page 780
38-6
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 38 Configuring AAA Rules for Network Access
Configuring Authentication for Network Access
hostname(config)# aaa authentication listener http inside redirect
The following example authenticates Telnet traffic from the outside interface to a particular server
(209.165.201.5):
hostname(config)# aaa-server AuthInbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list TELNET_AUTH extended permit tcp any host 209.165.201.5
eq
telnet
hostname(config)# aaa authentication match TELNET_AUTH outside AuthInbound
For more information about authentication, see the
“Information About Authentication” section on
Enabling Secure Authentication of Web Clients
If you use HTTP authentication, by default the username and password are sent from the client to the
ASA in clear text; in addition, the username and password are sent to the destination web server as well.
The ASA provides the following methods for securing HTTP authentication:
•
Enable the redirection method of authentication for HTTP—Use the aaa authentication listener
command with the redirect keyword. This method prevents the authentication credentials from
continuing to the destination server. See the
“ASA Authentication Prompts” section on page 38-3
for more information about the redirection method compared to the basic method.
•
Enable virtual HTTP—Use the virtual http command to authenticateseparately with the ASA and
with the HTTP server. Even if the HTTP server does not need a second authentication, this command
achieves the effect of stripping the basic authentication credentials from the HTTP GET request. See
the
“Authenticating HTTP(S) Connections with a Virtual Server” section on page 38-8
information.
Enable the exchange of usernames and passwords between a web client and the ASA with
HTTPS—Use the aaa authentication secure-http-client command to enable the exchange of
usernames and passwords between a web client and the ASA with HTTPS. This is the only method
that protects credentials between the client and the ASA, as well as between the ASA and the
destination server. You can use this method alone, or in conjunction with either of the other methods
so you can maximize your security.
After enabling this feature, when a user requires authentication when using HTTP, the ASA redirects
the HTTP user to an HTTPS prompt. After you authenticate correctly, the ASA redirects you to the
original HTTP URL.
Secured, web-client authentication has the following limitations:
–
A maximum of 16 concurrent HTTPS authentication sessions are allowed. If all 16 HTTPS
authentication processes are running, a new connection requiring authentication will not
succeed.
–
When uauth timeout 0 is configured (the uauth timeout is set to 0),HTTPS authentication
might not work. If a browser initiates multiple TCP connections to load a web page after HTTPS
authentication, the first connection is let through, but the subsequent connections trigger
authentication. As a result, users are continuously presented with an authentication page, even
if the correct username and password are entered each time. To work around this, set the uauth