41-7
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter41 Configuring AAA Rules for Network Access
Configuring Authentication for Network Access
This is the only method that protects credentials between the client and the ASA, as well as between
the ASA and the destination server. You can use this method alone, or in conjunction with either of
the other methods so you can maximize your security.
After enabling this feature, when a user requires authentication when using HTTP, the ASA redirects
the HTTP user to an HTTPS prompt. After you authenticate correctly, the ASA redirects you to the
original HTTP URL.
Secured, web-client authentication has the following limitations:
A maximum of 16 concurrent HTTPS authentication sessions are allowed. If all 16 HTTPS
authentication processes are running, a new connection requiring authentication will not
succeed.
When the uauth timeout is set to unlimited, HTTPS authentication might not work. If a browser
initiates multiple TCP connections to load a web page after HTTPS authentication, the first
connection is let through, but the subsequent connections trigger authentication. As a result,
users are continuously presented with an authentication page, even if the correct username and
password are entered each time. To work around this, set the uauth timeout to one second (see
the Configuration > Firewall > Advanced > Global Timeouts pane). However, this workaround
opens a 1-second window of opportunity that might allow unauthenticated users to go through
the firewall if they are coming from the same source IP address.
Because HTTPS authentication occurs on the SSL port 443, users must not configure an access ruleto
block traffic from the HTTP client to the HTTP server on port 443. Furthermore, if static PAT is
configured for web traffic on port 80, it must also be configured for the SSL port.
Authenticating Directly with the ASA
If you do not want to allow HTTP, HTTPS, Telnet, or FTP through the ASA but want to authenticate
other types of traffic, you can authenticate with the ASA directly using HTTP, HTTPS, or Telnet.
This section includes the following topics:
Authenticating HTTP(S) Connections with a Virtual Server, page41-7
Authenticating Telnet Connections with a Virtual Server, page41-8

Authenticating HTTP(S) Connections with a Virtual Server

If you enabled the redirection method of HTTP and HTTPS authentication in the “Configuring Network
Access Authentication” section on page41-4, then you have also automatically enabled direct
authentication.
When you use HTTP authentication on the ASA (see the“Configuring Network Access Authentication”
section on page 41-4), the ASA uses basic HTTP authentication by default.
You can change the authentication method so that the ASA redirects HTTP connections to web pages
generated by the ASA itself using the “Enabling the Redirection Method of Authentication for HTTP
and HTTPS” section on page 41-5.
However, if you continue to use basic HTTP authentication, then you might need the virtual HTTP server
when you have cascading HTTP authentications.
If the destination HTTP server requires authentication in addition to the ASA, then virtual HTTP lets
you authenticate separately with the ASA (via a AAA server) and with the HTTP server. Without virtual
HTTP, the same username and password that you used to authenticate with the ASA is sent to the HTTP