Configuring Custom Login Prompts - Cisco 7604 Configuration Manual

Chapter 17 Applying AAA for Network Access
The following commands authenticate Telnet traffic from the outside interface to a particular server
(209.165.201.5):
hostname(config)# aaa-server AuthInbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthInbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list TELNET_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa authentication match TELNET_AUTH outside AuthInbound

Configuring Custom Login Prompts

By default, when a user authenticates with the FWSM, they see the following prompt:
•
•
•
You can customize the login prompt, and also show prompts when a user is accepted or rejected. If you
use a RADIUS server that communicates with a Windows Active Directory server, the reject prompt can
be customized to show when a user was rejected due to invalid credentials (the wrong username or
password) or because a password has expired. If a password expired, the user is prompted for a new
password.
Customizing the login prompt causes the FWSM to use MSCHAPv2 for the user password. Please check
Note
for MSCHAPv2 compatibility with your RADIUS server and back-end database before enabling this
feature.
To customize the login prompt, perform the following steps:
To customize the login prompt, enter the following command:
Step 1
hostname(config)# auth-prompt prompt text
Where text is a string of up to 235 alphanumeric characters or 31 words, limited by whichever maximum
is first reached. Special characters, spaces, and punctuation characters are permitted. Entering a question
mark or pressing the Enter key ends the string. (The question mark appears in the string.)
Step 2 To show text when a user is accepted, enter the following command:
hostname(config)# auth-prompt accept text
To show text when a user is rejected, enter the following command:
Step 3
hostname(config)# auth-prompt reject text
When you enter the reject keyword without the invalid-credentials or reject expired-pwd keywords,
then this generic prompt is displayed for all rejections that are not due to invalid credentials or expired
passwords. For a rejection due to an invalid credential or an expired password, then the prompt you set
for the invalid-credentials or reject expired-pwd keyword displays. If you do not set any prompts for
invalid credentials or expired passwords, then the generic reject prompt is shown in all cases.
To show text when a user is rejected due to invalid credentials, enter the following command:
Step 4
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
For HTTP—
HTTP Authentication
For FTP—
FTP Authentication
For Telnet—no prompt.
Configuring Authentication for Network Access
.
.
17-5