Authentication Overview; One-Time Authentication; Applications Required To Receive An Authentication Challenge; Security Appliance Authentication Prompts - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Configuring Authentication for Network Access
Authentication Overview
The security appliance lets you configure network access authentication using AAA servers. This section
includes the following topics:
•
•
•
•
•
One-Time Authentication
A user at a given IP address only needs to authenticate one time for all rules and types, until the
authentication session expires. (See the timeout uauth command in the Cisco Security Appliance
Command Reference for timeout values.) For example, if you configure the security appliance to
authenticate Telnet and FTP, and a user first successfully authenticates for Telnet, then as long as the
authentication session exists, the user does not also have to authenticate for FTP.
Applications Required to Receive an Authentication Challenge
Although you can configure the security appliance to require authentication for network access to any
protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must
first authenticate with one of these services before the security appliance allows other traffic requiring
authentication.
The authentication ports that the security appliance supports for AAA are fixed:
•
•
•
•
Security Appliance Authentication Prompts
For Telnet and FTP, the security appliance generates an authentication prompt.
For HTTP, the security appliance uses basic HTTP authentication by default, and provides an
authentication prompt. You can optionally configure the security appliance to redirect users to an
internal web page where they can enter their username and password (configured with the aaa
authentication listener command).
For HTTPS, the security appliance generates a custom login screen. You can optionally configure the
security appliance to redirect users to an internal web page where they can enter their username and
password (configured with the aaa authentication listener command).
Redirection is an improvement over the basic method because it provides an improved user experience
when authenticating, and an identical user experience for HTTP and HTTPS in both Easy VPN and
firewall modes. It also supports authenticating directly with the security appliance.
Cisco Security Appliance Command Line Configuration Guide
19-2
One-Time Authentication, page 19-2
Applications Required to Receive an Authentication Challenge, page 19-2
Security Appliance Authentication Prompts, page 19-2
Static PAT and HTTP, page 19-3
Enabling Network Access Authentication, page 19-3
Port 21 for FTP
Port 23 for Telnet
Port 80 for HTTP
Port 443 for HTTPS
Chapter 19
Applying AAA for Network Access
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
