38-9
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter38 Configuring AAA Rules for Network Access
Configuring Authentication for Network Access
Authenticating Telnet Connections with a Virtual Server
Although you can configure network access authentication for any protocol or service (see the aaa
authentication match or aaa authentication include command), you can authenticate directly with
HTTP, Telnet, or FTP only. A user must first authenticate with one of these services before other traffic
that requires authentication is allowed through. If you do not want to allow HTTP, Telnet, or FTP traffic
through the ASA, but want to authenticate other types of traffic, you can configure virtual Telnet; the
user Telnets to a given IP address configured on the ASA, and the ASA issues a Telnet prompt.
To configure a virtual Telnet server, enter the following command:
Command Purpose
virtual http
Example:
hostname(config)# virtual http
Redirects all HTTP connections that require AAA
authentication to the virtual HTTP server on the ASA. The
ASA prompts for the AAA server username and password.
After the AAA server authenticates the user, the ASA redirects
the HTTP connection back to the original server, but it does
not include the AAA server username and password. Because
the username and password are not included in the HTTP
packet, the HTTP server prompts the user separately for the
HTTP server username and password.
For inbound users (from lower security to higher security),
you must also include the virtual HTTP address as a
destination interface in the access list applied to the source
interface. In addition, you must add a static NAT command for
the virtual HTTP IP address, even if NAT is not required. An
identity NAT command is typically used (where you translate
the address to itself).
For outbound users, there is an explicit permit for traffic, but
if you apply an access list to an inside interface, be sure to
allow access to the virtual HTTP address. A static statement is
not required.
Note Do not set the timeout uauth command duration to 0
seconds when using the virtual http command,
because this setting prevents HTTP connections to the
actual web server.
You can authenticate directly with the ASA at the following
URLs when you enable AAA for the interface:
http://interface_ip[:port]/netaccess/connstatus.html
https://interface_ip[:port]/netaccess/connstatus.html
Without virtual HTTP, the same username and password that
you used to authenticate with the ASA are sent to the HTTP
server; you are not prompted separately for the HTTP server
username and password. Assuming the username and
password are not the same for the AAA and HTTP servers,
then the HTTP authentication fails.