Enabling Network Access Authentication - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 12
Configuring AAA
Configuring Authentication for Network Access
example, if you configure the FWSM to authenticate Telnet and FTP, and a user first successfully
authenticates for Telnet, then as long as the authentication session exists, the user does not also have to
authenticate for FTP.
For Telnet, HTTP, and FTP, the FWSM generates an authentication prompt. If the destination server also
has its own authentication, the user enters another username and password.
For FTP, a user has the option of entering the FWSM username followed by an at sign (@) and then the
FTP username (name1@name2). For the password, the user enters the FWSM password followed by an
at sign (@) and then the FTP password (password1@password2). For example, enter the following text:
name> john_c@jchrichton
password> letmein@he110
This feature is useful when you have cascaded firewalls that require multiple logins. You can separate
several names and passwords by using multiple "at" signs (@).
Enabling Network Access Authentication
To configure authentication, enter the following command:
FWSM/contexta(config)# aaa authentication match acl_name interface_name server_group
Identify the source addresses and destination addresses using an extended ACL. Create the ACL using
the access-list command (see the
"Adding an Extended Access Control List" section on page
10-13).
The permit access control entries (ACEs) mark matching traffic for authentication, while deny entries
exclude matching traffic from authentication. Be sure to include the destination ports for either HTTP,
Telnet, or FTP in the ACL because the user must authenticate with one of these services before other
services are allowed through the FWSM.
You can alternatively use the aaa authentication include command (which identifies traffic within the
Note
command). However, you cannot use both methods in the same configuration. See the Catalyst 6500
Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more
information.
For example, the following commands authenticate all inside HTTP traffic and SMTP traffic:
FWSM/contexta(config)# access-list MAIL_AUTH extended permit tcp any any eq smtp
FWSM/contexta(config)# access-list MAIL_AUTH extended permit tcp any any eq www
FWSM/contexta(config)# aaa-server AuthOutbound protocol tacacs+
FWSM/contexta(config)# aaa-server AuthOutbound (inside) host 10.1.1.1 TheUauthKey
FWSM/contexta(config)# aaa authentication match MAIL_AUTH inside AuthOutbound
The following commands authenticate Telnet traffic from the outside interface to a particular server
(209.165.201.5):
FWSM/contexta(config)# access-list TELNET_AUTH extended permit tcp any host 209.165.201.5
eq telnet
FWSM/contexta(config)# aaa-server AuthInbound protocol tacacs+
FWSM/contexta(config)# aaa-server AuthInbound (inside) host 10.1.1.1 TheUauthKey
FWSM/contexta(config)# aaa authentication match TELNET_AUTH outside AuthInbound
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
12-21
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
