Enabling Direct Authentication Using Telnet - Cisco PIX 500 Series Configuration Manual

Chapter 19 Applying AAA for Network Access
Configuring Authentication for Network Access
This command redirects all HTTP connections that require AAA authentication to the virtual HTTP
server on the security appliance. The security appliance prompts for the AAA server username and
password. After the AAA server authenticates the user, the security appliance redirects the HTTP
connection back to the original server, but it does not include the AAA server username and password.
Because the username and password are not included in the HTTP packet, the HTTP server prompts the
user separately for the HTTP server username and password.
For inbound users (from lower security to higher security), you must also include the virtual HTTP
address as a destination interface in the access list applied to the source interface. Moreover, you must
add a static command for the virtual HTTP IP address, even if NAT is not required (using the no
nat-control command). An identity NAT command is typically used (where you translate the address to
itself).
For outbound users, there is an explicit permit for traffic, but if you apply an access list to an inside
interface, be sure to allow access to the virtual HTTP address. A static statement is not required.
Do not set the timeout uauth command duration to 0 seconds when using the virtual http command,
Note
because this setting prevents HTTP connections to the real web server.
You can authenticate directly with the security appliance at the following URLs when you enable AAA
for the interface:
http:// interface_ip [: port ]/netaccess/connstatus.html
https:// interface_ip [: port ]/netaccess/connstatus.html

Enabling Direct Authentication Using Telnet

Although you can configure network access authentication for any protocol or service (see the aaa
authentication match or aaa authentication include command), you can authenticate directly with
HTTP, Telnet, or FTP only. A user must first authenticate with one of these services before other traffic
that requires authentication is allowed through. If you do not want to allow HTTP, Telnet, or FTP through
the security appliance, but want to authenticate other types of traffic, you can configure virtual Telnet;
the user Telnets to a given IP address configured on the security appliance, and the security appliance
provides a Telnet prompt.
To configure a virtual Telnet server, enter the following command:
hostname(config)# virtual telnet ip_address
where the ip_address argument sets the IP address for the virtual Telnet server. Make sure this address
is an unused address that is routed to the security appliance.
You must configure authentication for Telnet access to the virtual Telnet address as well as the other
services you want to authenticate using the authentication match or aaa authentication include
command.
When an unauthenticated user connects to the virtual Telnet IP address, the user is challenged for a
username and password, and then authenticated by the AAA server. Once authenticated, the user sees
the message "Authentication Successful." Then, the user can successfully access other services that
require authentication.
For inbound users (from lower security to higher security), you must also include the virtual Telnet
address as a destination interface in the access list applied to the source interface. Moreover, you must
add a static command for the virtual Telnet IP address, even if NAT is not required (using the no
nat-control command). An identity NAT command is typically used (where you translate the address to
itself).
Cisco Security Appliance Command Line Configuration Guide
19-7
OL-12172-03