Enabling Secure Authentication Of Web Clients - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 19
Applying AAA for Network Access
Enabling Secure Authentication of Web Clients
The security appliance provides a method of securing HTTP authentication. Without securing HTTP
authentication, usernames and passwords from the client to the security appliance would be passed as
clear text. By using the aaa authentication secure-http-client command, you enable the exchange of
usernames and passwords between a web client and the security appliance with HTTPS.
After enabling this feature, when a user requires authentication when using HTTP, the security appliance
redirects the HTTP user to the internal HTTPS web page instead of the HTTP web page. After you
authenticate correctly, the security appliance redirects you to the original HTTP URL.
To enable secure authentication of web clients, enter the following command:
hostname(config)# aaa authentication secure-http-client
Secured web-client authentication has the following limitations:
•
•
•
Configuring Authorization for Network Access
After a user authenticates for a given connection, the security appliance can use authorization to further
control traffic from the user.
This section includes the following topics:
•
•
Configuring TACACS+ Authorization
You can configure the security appliance to perform network access authorization with TACACS+. You
identify the traffic to be authorized by specifying access lists that authorization rules must match.
Alternatively, you can identify the traffic directly in authorization rules themselves.
OL-10088-01
A maximum of 16 concurrent HTTPS authentication sessions are allowed. If all 16 HTTPS
authentication processes are running, a new connection requiring authentication will not succeed.
When uauth timeout 0 is configured (the uauth timeout is set to 0), HTTPS authentication might
not work. If a browser initiates multiple TCP connections to load a web page after HTTPS
authentication, the first connection is let through, but the subsequent connections trigger
authentication. As a result, users are continuously presented with an authentication page, even if the
correct username and password are entered each time. To work around this, set the uauth timeout
to 1 second with the timeout uauth 0:0:1 command. However, this workaround opens a 1-second
window of opportunity that might allow non-authenticated users to go through the firewall if they
are coming from the same source IP address.
Because HTTPS authentication occurs on the SSL port 443, users must not configure an access-list
command statement to block traffic from the HTTP client to HTTP server on port 443. Furthermore,
if static PAT is configured for web traffic on port 80, it must also be configured for the SSL port. In
the following example, the first line configures static PAT for web traffic and the second line must
be added to support the HTTPS authentication configuration.
static (inside,outside) tcp 10.132.16.200 www 10.130.16.10 www
static (inside,outside) tcp 10.132.16.200 443 10.130.16.10 443
Configuring TACACS+ Authorization, page 19-5
Configuring RADIUS Authorization, page 19-7
Configuring Authorization for Network Access
Cisco Security Appliance Command Line Configuration Guide
19-5
Advertisement
Table of Contents
Troubleshooting
