Cisco ASA 5505 Configuration Manual page 701

Chapter 33 Configuring AAA Rules for Network Access
Configuring Authentication for Network Access
Redirection is an improvement over the basic method because it provides an improved user experience
when authenticating, and an identical user experience for HTTP and HTTPS in both Easy VPN and
firewall modes. It also supports authenticating directly with the adaptive security appliance.
You might want to continue to use basic HTTP authentication if: you do not want the adaptive security
appliance to open listening ports; if you use NAT on a router and you do not want to create a translation
rule for the web page served by the adaptive security appliance; basic HTTP authentication might work
better with your network. For example non-browser applications, like when a URL is embedded in email,
might be more compatible with basic authentication.
After you authenticate correctly, the adaptive security appliance redirects you to your original
destination. If the destination server also has its own authentication, the user enters another username
and password. If you use basic HTTP authentication and need to enter another username and password
for the destination server, then you need to configure virtual HTTP (see the Configuration >Firewall >
Advanced Options > Virtual Access pane).
If you use HTTP authentication, by default the username and password are sent from the client to the
Note
adaptive security appliance in clear text; in addition, the username and password are sent on to the
destination web server as well. See the "Enabling Secure Authentication of Web Clients" section on
page 33-5 for information to secure your credentials.
For FTP, a user has the option of entering the adaptive security appliance username followed by an at
sign (@) and then the FTP username (name1@name2). For the password, the user enters the adaptive
security appliance password followed by an at sign (@) and then the FTP password
(password1@password2). For example, enter the following text.
name> jamiec@patm
password> letmein@he110
This feature is useful when you have cascaded firewalls that require multiple logins. You can separate
several names and passwords by multiple at signs (@).
Static PAT and HTTP
For HTTP authentication, the adaptive security appliance checks real ports when static PAT is
configured. If it detects traffic destined for real port 80, regardless of the mapped port, the adaptive
security appliance intercepts the HTTP connection and enforces authentication.
For example, assume that outside TCP port 889 is translated to port 80 (www) and that any relevant
access lists permit the traffic:
static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 www netmask 255.255.255.255
Then when users try to access 10.48.66.155 on port 889, the adaptive security appliance intercepts the
traffic and enforces HTTP authentication. Users see the HTTP authentication page in their web browsers
before the adaptive security appliance allows HTTP connection to complete.
If the local port is different than port 80, as in the following example:
static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 111 netmask 255.255.255.255
Then users do not see the authentication page. Instead, the adaptive security appliance sends to the web
browser an error message indicating that the user must be authenticated prior using the requested service.
Cisco ASA 5500 Series Configuration Guide using ASDM
33-3
OL-20339-01