Enabling Secure Authentication Of Web Clients - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 19
Applying AAA for Network Access
For example, the following commands authenticate all inside HTTP traffic and SMTP traffic:
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq smtp
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq www
hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound
hostname(config)# aaa authentication listener http inside redirect
The following commands authenticate Telnet traffic from the outside interface to a particular server
(209.165.201.5):
hostname(config)# aaa-server AuthInbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list TELNET_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa authentication match TELNET_AUTH outside AuthInbound
Enabling Secure Authentication of Web Clients
If you use HTTP authentication, by default the username and password are sent from the client to the
security appliance in clear text; in addition, the username and password are sent on to the destination
web server as well. The security appliance provides several methods of securing HTTP authentication:
•
•
•
OL-12172-03
Enable the redirection method of authentication for HTTP—Use the aaa authentication listener
command with the redirect keyword. This method prevents the authentication credentials from
continuing to the destination server. See the
on page 19-2
for more information about the redirection method versus the basic method.
Enable virtual HTTP—Use the virtual http command to let you authenticate separately with the
security appliance and with the HTTP server. Even if the HTTP server does not need a second
authentication, this command achieves the effect of stripping the basic authentication credentials
from the HTTP GET request.
Enable the exchange of usernames and passwords between a web client and the security appliance
with HTTPS—Use the aaa authentication secure-http-client command to enable the exchange of
usernames and passwords between a web client and the security appliance with HTTPS. This is the
only method that protects credentials between the client and the security appliance, as well as
between the security appliance and the destination server. You can use this method alone, or in
conjunction with either of the other methods so you can maximize your security.
After enabling this feature, when a user requires authentication when using HTTP, the security
appliance redirects the HTTP user to an HTTPS prompt. After you authenticate correctly, the
security appliance redirects you to the original HTTP URL.
Secured web-client authentication has the following limitations:
A maximum of 16 concurrent HTTPS authentication sessions are allowed. If all 16 HTTPS
–
authentication processes are running, a new connection requiring authentication will not
succeed.
Configuring Authentication for Network Access
"Security Appliance Authentication Prompts" section
Cisco Security Appliance Command Line Configuration Guide
19-5
Advertisement
Table of Contents
Troubleshooting
