72-21
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter72 Configuring Clientless SSL VPN
Using Auto Signon
Auto signon is a straight-forward method for configuring SSO for particular internal servers. This
section describes the procedure for setting up SSO with auto signon. If you already have SSO deployed
using Computer Associates SiteMinder SSO server, or if you have Security Assertion Markup Language
(SAML) Browser Post Profile SSO, and if you want to configure the ASA to support this solution, see
the “SSO Servers” section on page72-59.
The following fields are displayed:
IP Address—In conjunction with the following Mask, displays the IP address range of the servers
to be authenticated to as configured with the Add/Edit Auto Signon dialog box. You can specify a
server using either the server URI or the server IP address and mask.
Mask—In conjunction with the preceding IP Address, displays the IP address range of the servers
configured to support auto signon with the Add/Edit Auto Signon dialog box.
URI—Displays a URI mask that identifies the servers configured with the Add/Edit Auto Signon
dialog box.
Authentication Type—Displays the type of authentication—Basic (HTTP), NTLM, FTP and CIFS,
or all of these methods—as configured with the Add/Edit Auto Signon dialog box.
Restrictions
Do not enable auto signon for servers that do not require authentication or that use credentials
different from the ASA. When auto signon is enabled, the ASA passes on the login credentials that
the user entered to log into the ASA regardless of what credentials are in user storage.
If you configure one method for a range of servers (for example, HTTP Basic) and one of those
servers attempts to authenticate with a different method (for example, NTLM), the ASA does not
pass the user login credentials to that server.
Detailed Steps
Step1 Click to add or edit an auto signon instruction. An auto signon instruction defines a range of internal
servers using the auto signon feature and the particular authentication method.
Step2 Click to delete an auto signon instruction selected in the Auto Signon table.
Step3 Click IP Block to specify a range of internal servers using an IP address and mask.
IP Address—Enter the IP address of the first server in the range for which you are configuring
auto sign-on.
Mask—From the subnet mask menu, choose the subnet mask that defines the server address
range of the servers supporting auto signon.
Step4 Click URI to specify a server supporting auto signon by URI, then enter the URI in the field next to this
button.
Step5 Determine the authentication method assigned to the servers. For the specified range of servers, the ASA
can be configured to respond to Basic HTTP authentication requests, NTLM authentication requests,
FTP and CIFS authentication requests, or requests using any of these methods.
Basic—Click this button if the servers support basic (HTTP) authentication.
NTLM—Click this button if the servers support NTLMv1 authentication.
FTP/CIFS—Click this button if the servers support FTP and CIFS authentication
Basic, NTLM, and FTP/CIFS—Click this button if the servers support all of the above.