Cisco FirePOWER ASA 5500 series Configuration Manual page 336
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Configuring Authentication for Network Access
The permit ACEs mark matching traffic for authentication, while deny entries exclude matching traffic
from authentication. Be sure to include the destination ports for either HTTP, Telnet, or FTP in the access
list because the user must authenticate with one of these services before other services are allowed
through the security appliance.
Step 3
To configure authentication, enter the following command:
hostname(config)# aaa authentication match acl_name interface_name server_group
Where acl_name is the name of the access list you created in
interface as specified with the nameif command, and server_group is the AAA server group you created
in
Step
You can alternatively use the aaa authentication include command (which identifies traffic within the
Note
command). However, you cannot use both methods in the same configuration. See the Cisco Security
Appliance Command Reference for more information.
Step 4
(Optional) If you are using the local database for network access authentication and you want to limit
the number of consecutive failed login attempts that the security appliance allows any given user
account, use the following command:
hostname(config)# aaa local authentication attempts max-fail number
Where number is between 1 and 16.
For example:
hostname(config)# aaa local authentication attempts max-fail 7
Tip
To clear the lockout status of a specific user or all users, use the clear aaa local user lockout command.
For example, the following commands authenticate all inside HTTP traffic and SMTP traffic:
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq smtp
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq www
hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound
The following commands authenticate Telnet traffic from the outside interface to a particular server
(209.165.201.5):
hostname(config)# aaa-server AuthInbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list TELNET_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa authentication match TELNET_AUTH outside AuthInbound
Cisco Security Appliance Command Line Configuration Guide
19-4
1.
Chapter 19
Applying AAA for Network Access
Step
2, interface_name is the name of the
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
