Cisco ASA 5505 User Manual

38-5

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 38 Configuring AAA Rules for Network Access

Configuring Authentication for Network Access

Examples

The following example authenticates all inside HTTP traffic and SMTP traffic:

hostname(config)# aaa-server AuthOutbound protocol tacacs+

hostname(config-aaa-server-group)# exit

hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1

hostname(config-aaa-server-host)# key TACPlusUauthKey

hostname(config-aaa-server-host)# exit

hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq smtp

hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq www

hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound

Step 3

aaa authentication match

acl_name interface_name

server_group

Example:

hostname(config)# aaa authentication match MAIL_AUTH

inside AuthOutbound

Configures authentication.

The acl_name argument is the name of the access
list that you created in

Step 2

. The interface_name

argument is the name of the interface specified with
the nameif command. The server_group argument is
the AAA server group that you created in

Step 1

.

Note

You can alternatively use the aaa
authentication include command (which
identifies traffic within the command).
However, you cannot use both methods in
the same configuration. See the command
reference for more information.

Step 4

aaa authentication listener http

[s] interface_name

[

port

portnum

]

redirect

Example:

hostname(config)# aaa authentication listener http

inside redirect

(Optional) Enables the redirection method of
authentication for HTTP or HTTPS connections.

The interface_name argument is the interface on
which you want to enable listening ports. The port
portnum argument specifies the port number on
which the ASA listens; the defaults are 80 (HTTP)
and 443 (HTTPS).

You can use any port number and retain the same
functionality, but be sure your direct authentication
users know the port number; redirected traffic is sent
to the correct port number automatically, but direct
authenticators must specify the port number
manually.

Enter this command separately for HTTP and for
HTTPS.

Step 5

aaa local authentication attempts max-fail

number

Example:

hostname(config)# aaa local authentication attempts

max-fail 7

(Optional) Uses the local database for network
access authentication and limits the number of
consecutive failed login attempts that the ASA
allows any given user account (with the exception of
users with a privilege level of 15. This feature does
not affect level 15 users). The number argument
value is between 1 and 16.

Tip

To clear the lockout status of a specific user
or all users, use the clear aaa local user
lockout command.

Command

Purpose