Cisco ASA Series Cli Configuration Manual page 1037
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring AAA Rules for Network Access
The following example shows a typical cut-through proxy configuration to allow a user to log in through
the ASA. In this example, the following conditions apply:
•
•
•
•
•
hostname(config)# access-list AUTH extended permit tcp any 192.168.123.10 255.255.255.0 eq http
hostname(config)# access-list AUTH extended permit tcp any 192.168.123.10 255.255.255.0 eq https
hostname(config)# aaa-server LDAP protocol ldap
hostname(config-aaa-server-group)# aaa-server LDAP (inside) host 10.1.2.10
hostname(config-aaa-server-host)#
hostname(config-aaa-server-host)#
hostname(config-aaa-server-host)#
hostname(config-aaa-server-host)#
hostname(config-aaa-server-host)#
hostname(config-aaa-server-host)#
hostname(config-aaa-server-host)#
hostname(config-aaa-server-host)# aaa authentication match AUTH inside LDAP
hostname(config)#
hostname(config)# http server enable
hostname(config)# http 0.0.0.0 0.0.0.0 inside
hostname(config)#
hostname(config)# auth-prompt prompt Enter Your Authentication
hostname(config)# auth-prompt accept You are Good
hostname(config)# auth-prompt reject Goodbye
In this example, the following guidelines apply:
•
•
hostname(config)# access-list listenerAuth extended permit tcp any any
hostname(config)# aaa authentication match listenerAuth inside ldap
hostname(config)# aaa authentication listener http inside port 8888
hostname(config)# access-list 100 ex permit ip user SAMPLE\user1 any any
hostname(config)# access-list 100 ex deny ip user SAMPLE\user2 any any
hostname(config)# access-list 100 ex permit ip user NONE any any
hostname(config)# access-list 100 ex deny any any
hostname(config)# access-group 100 in interface inside
hostname(config)# aaa authenticate match 100 inside user-identity
The following example shows how you can use AAA rules plus identity firewall (cut-through proxy) to
authenticate successfully:
hostname(config)# access-list 100 ex permit ip user CISCO\xyz any any
hostname(config)# access-list 100 ex deny ip user CISCO\abc any any
hostname(config)# access-list 100 ex permit ip user NONE any any
hostname(config)# access-list 100 ex deny any any
hostname(config)# access-group 100 in interface inside
hostname(config)# access-list 200 ex permit user NONE any any
hostname(config)# aaa authenticate match 200 inside user-identity
The ASA IP address is 192.168.123.10.
The Active Directory domain controller has the IP address 10.1.2.10.
The end user client has the IP address 192.168.123.10 and uses HTTPS to log in through a web
portal.
The user is authenticated by the Active Directory domain controller via LDAP.
The ASA uses the inside interface to connect to the Active Directory domain controller on the
corporate network.
ldap-base-dn DC=cisco,DC=com
ldap-group-base-dn DC=cisco,DC=com
ldap-scope subtree
ldap-login-dn cn=kao,OU=Employees,OU=Cisco
ldap-login-password *****
ldap-over-ssl enable
server-type microsoft
In access-list commands, you should configure permit user NONE rules before entering the
access-list 100 ex deny any any command to allow unauthenticated incoming users to trigger AAA
cut-through proxy.
In access-list AUTH commands, permit user NONE rules specify that only unauthenticated users
can trigger AAA cut-through proxy.
Configuring Authentication for Network Access
Users,DC=cisco,DC=com
Cisco ASA Series CLI Configuration Guide
1-9
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
