38-5
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter38 Configuring AAA Rules for Network Access
Configuring Authentication for Network Access
Examples
The following example authenticates all inside HTTP traffic and SMTP traffic:
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq smtp
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq www
hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound
Step3 aaa authentication match acl_name interface_name
server_group
Example:
hostname(config)# aaa authentication match MAIL_AUTH
inside AuthOutbound
Configures authentication.
The acl_name argument is the name of the access
list that you created in Step 2. The interface_name
argument is the name of the interface specified with
the nameif command. The server_group argument is
the AAA server group that you created in Step1.
Note You can alternatively use the aaa
authentication include command (which
identifies traffic within the command).
However, you cannot use both methods in
the same configuration. See the command
reference for more information.
Step4 aaa authentication listener http[s] interface_name
[port portnum] redirect
Example:
hostname(config)# aaa authentication listener http
inside redirect
(Optional) Enables the redirection method of
authentication for HTTP or HTTPS connections.
The interface_name argument is the interface on
which you want to enable listening ports. The port
portnum argument specifies the port number on
which the ASA listens; the defaults are 80 (HTTP)
and 443 (HTTPS).
You can use any port number and retain the same
functionality, but be sure your direct authentication
users know the port number; redirected traffic is sent
to the correct port number automatically, but direct
authenticators must specify the port number
manually.
Enter this command separately for HTTP and for
HTTPS.
Step5 aaa local authentication attempts max-fail number
Example:
hostname(config)# aaa local authentication attempts
max-fail 7
(Optional) Uses the local database for network
access authentication and limits the number of
consecutive failed login attempts that the ASA
allows any given user account (with the exception of
users with a privilege level of 15. This feature does
not affect level 15 users). The number argument
value is between 1 and 16.
Tip To clear the lockout status of a specific user
or all users, use the clear aaa local user
lockout command.
Command Purpose