38-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter38 Configuring AAA Rules for Network Access
Guidelines and Limitations
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
IPv6 Guidelines
Supports IPv6.
Configuring Authentication for Network Access
This section includes the following topics:
Information About Authentication, page38-2
Configuring Network Access Authentication, page38-4
Enabling Secure Authentication of Web Clients, page 38-6
Authenticating Directly with the ASA, page38-7

Information About Authentication

The ASA lets you configure network access authentication using AAA servers. This section includes the
following topics:
One-Time Authentication, page38-2
Applications Required to Receive an Authentication Challenge, page38-2
ASA Authentication Prompts, page38-3
Static PAT and HTTP, page 38-4

One-Time Authentication

A user at a given IP address only needs to authenticate one time for all rules and types, until the
authentication session expires. (See the timeout uauth command in the command reference for timeout
values.) For example, if you configure the ASA to authenticate Telnet and FTP, and a user first
successfully authenticates for Telnet, then as long as the authentication session exists, the user does not
also have to authenticate for FTP.

Applications Required to Receive an Authentication Challenge

Although you can configure the ASA to require authentication for network access to any protocol or
service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must first
authenticate with one of these services before the ASA allows other traffic requiring authentication.
The authentication ports that the ASA supports for AAA are fixed as follows: