38-12
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter38 Configuring AAA Rules for Network Access
Configuring Authorization for Network Access
Command Purpose
Step1 aaa-server
Example:
hostname(config)# aaa-server AuthOutbound protocol
tacacs+
Identifies your AAA servers. If you have already
identified them, continue to the next step. For more
information about identifying AAA servers, see the
“Configuring AAA Server Groups” section on
page 35-11.
Step2 access-list
Example:
hostname(config)# access-list MAIL_AUTH extended
permit tcp any any eq smtp
Creates an access list that identifies the source
addresses and destination addresses of traffic you
want to authenticate. For details, see Chapter 15,
“Adding an Extended Access List.”
The permit ACEs mark matching traffic for
authentication, while deny entries exclude matching
traffic from authentication. Be sure to include the
destination ports for either HTTP, HTTPS, Telnet, or
FTP in the access list, because the user must
authenticate with one of these services before other
services are allowed through the ASA.
Step3 aaa authentication match acl_name interface_name
server_group
Example:
hostname(config)# aaa authentication match MAIL_AUTH
inside AuthOutbound
Configures authentication. The acl_name argument
is the name of the access list that you created in Step
2., The interface_name argument is the name of the
interface specified with the nameif command, and
the server_group argument is the AAA server group
that you created in Step 1.
Note You can alternatively use the aaa
authentication include command (which
identifies traffic within the command).
However, you cannot use both methods in
the same configuration. See the command
reference for more information.
Step4 aaa authentication listener http[s] interface_name
[port portnum] redirect
Example:
hostname(config)# aaa authentication listener http
inside redirect
(Optional) Enables the redirection method of
authentication for HTTP or HTTPS connections.
The interface_name argument is the interface on
which you want to enable listening ports. The port
portnum argument specifies the port number on
which the ASA listens; the defaults are 80 (HTTP)
and 443 (HTTPS).
You can use any port number and retain the same
functionality, but be sure your direct authentication
users know the port number; redirected traffic is sent
to the correct port number automatically, but direct
authenticators must specify the port number
manually.
Enter this command separately for HTTP and for
HTTPS.