Cisco PIX 500 Series Configuration Manual page 362

Configuring Authentication for Network Access
Using the aaa-server command, identify your AAA servers. If you have already identified your AAA
Step 1
servers, continue to the next step.
For more information about identifying AAA servers, see the
Servers" section on page
Using the access-list command, create an access list that identifies the source addresses and destination
Step 2
addresses of traffic you want to authenticate. For steps, see the
section on page
The permit ACEs mark matching traffic for authentication, while deny entries exclude matching traffic
from authentication. Be sure to include the destination ports for either HTTP, HTTPS, Telnet, or FTP in
the access list because the user must authenticate with one of these services before other services are
allowed through the security appliance.
Step 3 To configure authentication, enter the following command:
hostname(config)# aaa authentication match acl_name interface_name server_group
Where acl_name is the name of the access list you created in
interface as specified with the nameif command, and server_group is the AAA server group you created
in Step
You can alternatively use the aaa authentication include command (which identifies traffic within the
Note
command). However, you cannot use both methods in the same configuration. See the Cisco Security
Appliance Command Reference for more information.
Step 4 (Optional) To enable the redirection method of authentication for HTTP or HTTPS connections, enter
the following command:
hostname(config)# aaa authentication listener http[s] interface_name
redirect
where the interface_name argument is the interface on which you want to enable listening ports.
The port portnum argument specifies the port number that the security appliance listens on; the defaults
are 80 (HTTP) and 443 (HTTPS). You can use any port number and retain the same functionality, but be
sure your direct authentication users know the port number; redirected traffic is sent to the correct port
number automatically, but direct authenticators must specify the port number manually.
Enter this command separately for HTTP and for HTTPS.
(Optional) If you are using the local database for network access authentication and you want to limit
Step 5
the number of consecutive failed login attempts that the security appliance allows any given user
account, use the following command:
hostname(config)# aaa local authentication attempts max-fail number
Where number is between 1 and 16.
For example:
hostname(config)# aaa local authentication attempts max-fail 7
To clear the lockout status of a specific user or all users, use the clear aaa local user lockout command.
Tip
Cisco Security Appliance Command Line Configuration Guide
19-4
13-9.
16-5.
1.
Chapter 19 Applying AAA for Network Access
"Identifying AAA Server Groups and
"Adding an Extended Access List"
Step 2, interface_name is the name of the
[
port portnum
]
OL-12172-03