Static Pat And Http; Authenticating Directly With The Fwsm; Enabling Network Access Authentication - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 17
Applying AAA for Network Access
If you use HTTP authentication without using the aaa authentication secure-http-client command, the
Note
username and password are sent from the client to the FWSM in clear text. We recommend that you use
the aaa authentication secure-http-client command whenever you enable HTTP authentication. For
more information about the aaa authentication secure-http-client command, see the
Authentication of Web Clients" section on page
For FTP, a user has the option of entering the FWSM username followed by an at sign (@) and then the
FTP username (name1@name2). For the password, the user enters the FWSM password followed by an
at sign (@) and then the FTP password (password1@password2). For example, enter the following text.
name> user1@user2
password> letmein@he110
This feature is useful when you have cascaded firewalls that require multiple logins. You can separate
several names and passwords by multiple at signs (@).
Static PAT and HTTP
For HTTP authentication, the FWSM checks real ports when static PAT is configured. If it detects traffic
destined for real port 80, regardless of the mapped port, the FWSM intercepts the HTTP connection and
enforces authentication.
For example, assume that outside TCP port 889 is translated to port 80 (www) and that any relevant
access lists permit the traffic:
static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 www netmask 255.255.255.255
Then when users try to access 10.48.66.155 on port 889, the FWSM intercepts the traffic and enforces
HTTP authentication. Users see the HTTP authentication page in their web browsers before the FWSM
allows HTTP connection to complete.
If the local port is different than port 80, as in the following example:
static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 111 netmask 255.255.255.255
Then users do not see the authentication page. Instead, the FWSM sends to the web browser an error
message indicating that the user must be authenticated prior using the requested service.
Authenticating Directly with the FWSM
If you do not want to allow HTTP(S), Telnet, or FTP through the FWSM but want to authenticate other
types of traffic, you can configure virtual Telnet, virtual SSH, or virtual HTTP. With virtual Telnet, SSH,
or HTTP, the user connects using Telnet, SSH, or HTTP to a given IP address configured on the FWSM,
and the FWSM provides a prompt. For more information about the virtual telnet, virtual ssh, or virtual
http commands, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services
Module Command Reference.
Enabling Network Access Authentication
To enable network access authentication, perform the following steps:
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Configuring Authentication for Network Access
17-6.
"Enabling Secure
17-3
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
