Configuring Authorization For Network Access - Cisco Catalyst 6500 Series Configuration Manual

Chapter 12 Configuring AAA
The Cisco Systems text field shown in this example was customized using the auth-prompt command.
Note
If you do not enter a string using the auth-prompt command, this field will be blank. For the detailed
syntax of this command, refer to the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall
Services Module Command Reference.
After the you enter a valid username and password, an "Authentication Successful" page appears and
closes automatically. If you fail to enter a valid username and password, an "Authentication Failed" page
appears.
A maximum of 64 concurrent HTTPS authentications are allowed. If all 64 HTTPS authentication
processes are running, a new connection requiring authentication will not succeed. An authentication
process starts when the FWSM receives the user name and password from the browser and ends when it
receives the authentication result from the AAA server. The length of time required to complete each
authentication process depends on the response time from the authentication source. If the LOCAL
database is used, it is very fast; while if a RADIUS or TACACS+ server is used, it will depend on the
server response time.
Pre-FWSM release 2.3, configurations that include AAA authentication include tcp/0.. and will inherit
Note
the HTTPS Authentication Proxy feature enabled with a code upgrade to FWSM release 2.3 or later.
When using the uauth timeout 0 command, HTTPS authentication will not take place if a browser
initiates multiple TCP connections to get a web page after HTTPS authentication. In this scenario, the
first connection is allowed, yet the subsequent connections will trigger authentication because the uauth
timeout is set to 0. As a result, users will be presented with authentication pages continuously, even
though the correct username and password are entered each time. Avoid this problem by setting the uauth
timeout to 1 second. However, this setting opens a 1-second window that could conceivably allow a
non-authenticated user to obtain access from the same source IP address.
If a web browser launches an HTTPS web page request while secure authentication is in process for a
previous HTTP request, the HTTPS request triggers a second secure authentication process, even if
secure authentication is not specifically enabled for HTTPS. Once the authentication process for either
web page is completed successfully, the remaining request can be completed by reloading the page.
Because HTTPS authentication occurs on SSL port 443, do not use the access-list command to block
traffic from the HTTP client to HTTP server on port 443. Also, if you configure static PAT for web traffic
on port 80, you must also configure a static entry for SSL port 443.

Configuring Authorization for Network Access

After a user authenticates for a given connection, the FWSM checks for an authorization rule or a
dynamic ACL for the traffic. The authorization server or dynamic ACL then determines whether the
traffic is allowed or denied.
The FWSM supports TACACS+ authorization servers. You identify the traffic that you want to authorize
in the FWSM configuration, and the TACACS+ server determines a user's authorization based on the
user profile.
Alternatively, you can use dynamic ACLs that are downloaded from a RADIUS server at the time of
authentication. The configuration on the FWSM consists only of the authentication configuration; you
enable downloadable ACLs on the server itself.
OL-6392-01
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Configuring Authorization for Network Access
12-23