Cisco 7604 Configuration Manual page 348
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Configuring Authentication for Network Access
Using the aaa-server command, identify your AAA servers. If you have already identified your AAA
Step 1
servers, continue to the next step.
For more information about identifying AAA servers, see the
Servers" section on page
Using the access-list command, create an access list that identifies the source addresses and destination
Step 2
addresses of traffic you want to authenticate. For steps, see the
section on page
The permit ACEs mark matching traffic for authentication, while deny entries exclude matching traffic
from authentication. Be sure to include the destination ports for either HTTP(S), Telnet, or FTP in the
access list because the user must authenticate with one of these services before other services are allowed
through the FWSM.
To configure authentication, enter the following command:
Step 3
hostname(config)# aaa authentication match acl_name interface_name server_group
where acl_name is the name of the access list you created in
interface as specified with the nameif command, and server_group is the AAA server group you created
in
Step
Note
(Optional) If you are using the local database for network access authentication and you want to limit
Step 4
the number of consecutive failed login attempts that the FWSM allows any given user account, use the
aaa local authentication attempts max-fail command. For example:
hostname(config)# aaa local authentication attempts max-fail 7
To clear the lockout status of a specific user or all users, use the clear aaa local user lockout command.
Tip
(Optional) When a user authentication times out or you clear the authentication sessions using the clear
Step 5
uauth command, you can force any active connections to close immediately by entering the following
command:
hostname(config)# aaa authentication clear-conn interface_name source_ip source_mask
Without this command, active connections are not terminated even though the user authentication
session expired.
For example, the following commands authenticate all inside HTTP traffic and SMTP traffic:
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq smtp
hostname(config)# access-list MAIL_AUTH extended permit tcp any any eq www
hostname(config)# aaa authentication match MAIL_AUTH inside AuthOutbound
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
17-4
11-9.
13-6.
1.
You can alternatively use the aaa authentication include command (which identifies traffic
within the command). However, you cannot use both methods in the same configuration. See the
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command
Reference for more information.
Chapter 17
Applying AAA for Network Access
"Identifying AAA Server Groups and
"Adding an Extended Access List"
Step
2, interface_name is the name of the
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
