Cisco ASA 5505 User Manual

Page 786

Advertising
background image

38-12

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 38 Configuring AAA Rules for Network Access

Configuring Authorization for Network Access

Command

Purpose

Step 1

aaa-server

Example:

hostname(config)# aaa-server AuthOutbound protocol

tacacs+

Identifies your AAA servers. If you have already
identified them, continue to the next step. For more
information about identifying AAA servers, see the

“Configuring AAA Server Groups” section on
page 35-11

.

Step 2

access-list

Example:

hostname(config)# access-list MAIL_AUTH extended

permit tcp any any eq smtp

Creates an access list that identifies the source
addresses and destination addresses of traffic you
want to authenticate. For details, see

Chapter 15,

“Adding an Extended Access List.”

The permit ACEs mark matching traffic for
authentication, while deny entries exclude matching
traffic from authentication. Be sure to include the
destination ports for either HTTP, HTTPS, Telnet, or
FTP in the access list, because the user must
authenticate with one of these services before other
services are allowed through the ASA.

Step 3

aaa authentication match

acl_name interface_name

server_group

Example:

hostname(config)# aaa authentication match MAIL_AUTH

inside AuthOutbound

Configures authentication. The acl_name argument
is the name of the access list that you created in Step
2., The interface_name argument is the name of the
interface specified with the nameif command, and
the server_group argument is the AAA server group
that you created in Step 1.

Note

You can alternatively use the aaa
authentication include command (which
identifies traffic within the command).
However, you cannot use both methods in
the same configuration. See the command
reference for more information.

Step 4

aaa authentication listener http

[s] interface_name

[

port

portnum

]

redirect

Example:

hostname(config)# aaa authentication listener http

inside redirect

(Optional) Enables the redirection method of
authentication for HTTP or HTTPS connections.

The interface_name argument is the interface on
which you want to enable listening ports. The port
portnum argument specifies the port number on
which the ASA listens; the defaults are 80 (HTTP)
and 443 (HTTPS).

You can use any port number and retain the same
functionality, but be sure your direct authentication
users know the port number; redirected traffic is sent
to the correct port number automatically, but direct
authenticators must specify the port number
manually.

Enter this command separately for HTTP and for
HTTPS.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals