Cisco ASA Series Cli Configuration Manual page 1038

Configuring Authentication for Network Access
For more information about authentication, see the
page
Enabling Secure Authentication of Web Clients
If you use HTTP authentication, by default the username and password are sent from the client to the
ASA in clear text; in addition, the username and password are sent to the destination web server as well.
The ASA provides the following methods for securing HTTP authentication:
•
•
Because HTTPS authentication occurs on the SSL port 443, users must not configure an access-list
command statement to block traffic from the HTTP client to the HTTP server on port 443. Furthermore,
if static PAT is configured for web traffic on port 80, it must also be configured for the SSL port.
Cisco ASA Series CLI Configuration Guide
1-10
1-2.
Enable the redirection method of authentication for HTTP—Use the aaa authentication listener
command with the redirect keyword. This method prevents the authentication credentials from
continuing to the destination server. See the
more information about the redirection method compared to the basic method.
Enable virtual HTTP—Use the virtual http command to authenticateseparately with the ASA and
with the HTTP server. Even if the HTTP server does not need a second authentication, this command
achieves the effect of stripping the basic authentication credentials from the HTTP GET request. See
the "Authenticating HTTP(S) Connections with a Virtual Server" section on page 1-11
information.
Enable the exchange of usernames and passwords between a web client and the ASA with
HTTPS—Use the aaa authentication secure-http-client command to enable the exchange of
usernames and passwords between a web client and the ASA with HTTPS. This is the only method
that protects credentials between the client and the ASA, as well as between the ASA and the
destination server. You can use this method alone, or in conjunction with either of the other methods
so you can maximize your security.
After enabling this feature, when a user requires authentication when using HTTP, the ASA redirects
the HTTP user to an HTTPS prompt. After you authenticate correctly, the ASA redirects you to the
original HTTP URL.
Secured, web-client authentication has the following limitations:
–
A maximum of 64 concurrent HTTPS authentication sessions are allowed. If all 64 HTTPS
authentication processes are running, a new connection requiring authentication will not
succeed.
–
When uauth timeout 0 is configured (the uauth timeout is set to 0),HTTPS authentication
might not work. If a browser initiates multiple TCP connections to load a web page after HTTPS
authentication, the first connection is let through, but the subsequent connections trigger
authentication. As a result, users are continuously presented with an authentication page, even
if the correct username and password are entered each time. To work around this, set the uauth
timeout to 1 second with the timeout uauth 0:0:1 command. However, this workaround opens
a 1-second window of opportunity that might allow unauthenticated users to go through the
firewall if they are coming from the same source IP address.
–
In the following example, the first set of commands configures static PAT for web traffic, and
the second set of commands must be added to support the HTTPS authentication configuration:
object network obj-10.130.16.10-01
host 10.130.16.10
nat (inside,outside) static 10.132.16.200 service tcp 80 80
object network obj-10.130.16.10-02
host 10.130.16.10
Chapter 1 Configuring AAA Rules for Network Access
"Information About Authentication" section on
"ASA Authentication Prompts" section on page 1-3 for
for more