Cisco Systems ASA 5555-X, ASA 5505, ASA 5545-X manual Enabling Secure Authentication of Web Clients

Chapter 7 Configuring AAA Rules for Network Access

Configuring Authentication for Network Access

For more information about authentication, see the “Information About Authentication” section on page 7-2.

Enabling Secure Authentication of Web Clients

If you use HTTP authentication, by default the username and password are sent from the client to the ASA in clear text; in addition, the username and password are sent to the destination web server as well.

The ASA provides the following methods for securing HTTP authentication:

•Enable the redirection method of authentication for HTTP—Use the aaa authentication listener command with the redirect keyword. This method prevents the authentication credentials from continuing to the destination server. See the “ASA Authentication Prompts” section on page 7-3for more information about the redirection method compared to the basic method.

•Enable virtual HTTP—Use the virtual http command to authenticateseparately with the ASA and with the HTTP server. Even if the HTTP server does not need a second authentication, this command achieves the effect of stripping the basic authentication credentials from the HTTP GET request. See the “Authenticating HTTP(S) Connections with a Virtual Server” section on page 7-11for more information.

Enable the exchange of usernames and passwords between a web client and the ASA with HTTPS—Use the aaa authentication secure-http-clientcommand to enable the exchange of usernames and passwords between a web client and the ASA with HTTPS. This is the only method that protects credentials between the client and the ASA, as well as between the ASA and the destination server. You can use this method alone, or in conjunction with either of the other methods so you can maximize your security.

After enabling this feature, when a user requires authentication when using HTTP, the ASA redirects the HTTP user to an HTTPS prompt. After you authenticate correctly, the ASA redirects you to the original HTTP URL.

Secured, web-client authentication has the following limitations:

–A maximum of 64 concurrent HTTPS authentication sessions are allowed. If all 64 HTTPS authentication processes are running, a new connection requiring authentication will not succeed.

–When uauth timeout 0 is configured (the uauth timeout is set to 0),HTTPS authentication might not work. If a browser initiates multiple TCP connections to load a web page after HTTPS authentication, the first connection is let through, but the subsequent connections trigger authentication. As a result, users are continuously presented with an authentication page, even if the correct username and password are entered each time. To work around this, set the uauth timeout to 1 second with the timeout uauth 0:0:1 command. However, this workaround opens a 1-second window of opportunity that might allow unauthenticated users to go through the firewall if they are coming from the same source IP address.

Because HTTPS authentication occurs on the SSL port 443, users must not configure an access-listcommand statement to block traffic from the HTTP client to the HTTP server on port 443. Furthermore, if static PAT is configured for web traffic on port 80, it must also be configured for the SSL port.

–In the following example, the first set of commands configures static PAT for web traffic, and the second set of commands must be added to support the HTTPS authentication configuration:

object network obj-10.130.16.10-01 host 10.130.16.10

nat (inside,outside) static 10.132.16.200 service tcp 80 80 object network obj-10.130.16.10-02

host 10.130.16.10

Cisco ASA Series Firewall CLI Configuration Guide

7-10