15-21
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter15 Managing Firewall AAA Rules
AAA Firewall Settings Policies
Interactive Authentication Configuration Dialog Box
Use the Interactive Authentication Configuration dialog box to configure an interface to listen for HTTP
or HTTPS traffic to authenticate network users. The authentication web page used by a listening port
provides an improved user experience compared to the default authentication pages used for these
protocols. The authentication pages are used for connections directly to the device and if you select the
redirection option, also for through traffic if your AAA rules policy requires HTTP/HTTPS network
access authentication. For more information, see Understanding How Users Authenticate, page15-2.
Navigation Path
Go to the AAA Firewall Settings Page, Advanced Setting Tab, page 15-19 and click the Add Row button
beneath the Interactive Authentication table, or select an item in the table and click the Edit Row button.
Related Topics
Understanding AAA Rules, page 15-1
Configuring AAA Rules for ASA, PIX, and FWSM Devices, page 15-4
Disable FTP Authentication
Challenge
Disable HTTP
Authentication Challenge
Disable HTTPS
Authentication Challenge
Disable Telnet
Authentication Challenge
(All options FWSM 3.x+
only.)
Whether to disable authentication challenges for the indicated
protocols. By default, the FWSM prompts the user for a username and
password when a AAA rule enforces authentication for traffic in a new
session and the protocol of the traffic is FTP, Telnet, HTTP, or HTTPS.
In some cases, you might want to disable the authentication challenge
for one or more of these protocols. If you disable challenge
authentication for a particular protocol, traffic using that protocol is
allowed only if the traffic belongs to a session previously authenticated.
This authentication can be accomplished by traffic using a protocol
whose authentication challenge remains enabled. For example, if you
disable challenge authentication for FTP, the FWSM denies a new
session using FTP if the traffic is included in an authentication AAA
rule. If the user establishes the session with a protocol whose
authentication challenge is enabled (such as HTTP), FTP traffic is
allowed.
Clear Connections When
Uauth Timer Expires table
(FWSM 3.2+ only.)
Use this table to identify the interfaces and source addresses where you
want to force any active connections to close immediately after the user
authentication times out or when you clear the authentication session
with the clear uauth command. (User authentication timeouts are
defined in the Platform > Security > Timeouts policy.) For any
interface/source address pairs not listed in this table, active connections
are not terminated even though the user authentication session expired.
To add any interface and source address pair, click the Add Row
button and fill in the Clear Connection Configuration Dialog Box,
page 15-22.
To edit a setting, select it and click the Edit Row button.
To delete a setting, select it and click the Delete Row button.
Table15-3 Advanced Setting Tab, AAA Firewall Settings Page (Continued)
Element Description