38-3
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter38 Configuring AAA Rules for Network Access
Configuring Authentication for Network Access
Port 21 for FTP
Port 23 for Telnet
Port 80 for HTTP
Port 443 for HTTPS
ASA Authentication Prompts
For Telnet and FTP, the ASA generates an authentication prompt.
For HTTP, the ASA uses basic HTTP authentication by default, and provides an authentication prompt.
You can optionally configure the ASA to redirect users to an internal web page where they can enter their
username and password (configured with the aaa authentication listener command).
For HTTPS, the ASA generates a custom login screen. You can optionally configure the ASA to redirect
users to an internal web page where they can enter their username and password (configured with the
aaa authentication listener command).
Redirection is an improvement over the basic method because it provides an improved user experience
when authenticating, and an identical user experience for HTTP and HTTPS in both Easy VPN and
firewall modes. It also supports authenticating directly with the ASA.
You might want to continue to use basic HTTP authentication for the following reasons:
You do not want the ASA to open listening ports.
You use NAT on a router and you do not want to create a translation rule for the web page served by
the ASA.
Basic HTTP authentication might work better with your network.
For example non-browser applications, as when a URL is embedded in e-mail, might be more compatible
with basic authentication.
After you authenticate correctly, the ASA redirects you to your original destination. If the destination
server also has its own authentication, the user enters another username and password. If you use basic
HTTP authentication and need to enter another username and password for the destination server, then
you need to configure the virtual http command.
Note If you use HTTP authentication, by default the username and password are sent from the client to the
ASA in clear text; in addition, the username and password are sent on to the destination web server as
well. See the “Enabling Secure Authentication of Web Clients” section on page38-6 for information to
secure your credentials.
For FTP, a user has the option of entering the ASA username followed by an at sign (@) and then the
FTP username (name1@name2). For the password, the user enters the ASA password followed by an at
sign (@) and then the FTP password (password1@password2). For example, enter the following text:
name> name1@name2
password> password1@password2
This feature is useful when you have cascaded firewalls that require multiple logins. You can separate
several names and passwords by multiple at signs (@).