Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CH A P T E R 8-1 Cisco ASA Series Firewall ASDM Configuration Guide 8 Configuring AAA Rules for Network Access This chapter describes how to enable AAA (pronounced “triple A”) for network access. For information about AAA for management access, see the “Configuring AAA for System Administrators” section on page 96-18 in the general operations configuration guide. This chapter includes the following sections: AAA Performance, page 8-1 Licensing Requirements for AAA Rules, page 8-1 Guidelines and Limitations, page 8-2 Configuring Authentication for Network Access, page 8-2 Configuring Authorization for Network Access, page 8-12 Configuring Accounting for Network Access, page 8-17 Using MAC Addresses to Exempt Traffic from Authentication and Authorization, page 8-19 Feature History for AAA Rules, page 8-20 AAA Performance The ASA uses “cut-through proxy” to significantly improve performance compared to a traditional proxy server. The performance of a traditional proxy server suffers because it analyzes every packet at the application layer of the OSI model. The ASA cut-through proxy challenges a user initially at the application layer and then authenticates with standard AAA servers or the local database. After the ASA authenticates the user, it shifts the session flow, and all traffic flows directly and quickly between the source and destination while maintaining session state information. Licensing Requirements for AAA Rules The following table shows the licensing requirements for this feature: Model License Requirement All models Base License.
8-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Guidelines and Limitations Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. IPv6 Guidelines Supports IPv6. Additional Guidelines In clustering, this feature is only supported on the master unit. Configuring Authentication for Network Access This section includes the following topics: Information About Authentication, page 8-2 Configuring Network Access Authentication, page 8-6 Enabling the Redirection Method of Authentication for HTTP and HTTPS, page 8-7 Enabling Secure Authentication of Web Clients, page 8-8 Authenticating Directly with the ASA, page 8-9 Configuring the Authentication Proxy Limit, page 8-11 Information About Authentication The ASA lets you configure network access authentication using AAA servers. This section includes the following topics: One-Time Authentication, page 8-3 Applications Required to Receive an Authentication Challenge, page 8-3 ASA Authentication Prompts, page 8-3 AAA Prompts and Identity Firewall, page 8-4 AAA Rules as a Backup Authentication Method, page 8-5 Static PAT and HTTP, page 8-5
8-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access One-Time Authentication A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session expires. (See the Configuration > Firewall > Advanced > Global Timeouts pane for timeout values.) For example, if you configure the ASA to authenticate Telnet and FTP, and a user first successfully authenticates for Telnet, then as long as the authentication session exists, the user does not also have to authenticate for FTP. Applications Required to Receive an Authentication Challenge Although you can configure the ASA to require authentication for network access to any protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must first authenticate with one of these services before the ASA allows other traffic requiring authentication. The authentication ports that the ASA supports for AAA are fixed as follows: Port 21 for FTP Port 23 for Telnet Port 80 for HTTP Port 443 for HTTPS ASA Authentication Prompts For Telnet and FTP, the ASA generates an authentication prompt. For HTTP, the ASA uses basic HTTP authentication by default, and provides an authentication prompt. You can optionally configure the ASA to redirect users to an internal web page where they can enter their username and password (configured in the Configuration > Firewall > AAA Rules > Advanced > AAA Rules Advanced Options dialog box; see the “Enabling the Redirection Method of Authentication for HTTP and HTTPS” section on page 8-7). For HTTPS, the ASA generates a custom login screen. You can optionally configure the ASA to redirect users to an internal web page where they can enter their username and password (configured in the Configuration > Firewall > AAA Rules > Advanced > AAA Rules Advanced Options dialog box; see the “Enabling the Redirection Method of Authentication for HTTP and HTTPS” section on page 8-7). Redirection is an improvement over the basic method because it provides an improved user experience during authentication, and an identical user experience for HTTP and HTTPS in both Easy VPN and firewall modes. It also supports authentication directly with the ASA. You might want to continue to use basic HTTP authentication for the following reasons: You do not want the ASA to open listening ports. You use NAT on a router and you do not want to create a translation rule for the web page served by the ASA. Basic HTTP authentication might work better with your network. For example non-browser applications, as when a URL is embedded in e-mail, might be more compatible with basic authentication. After you authenticate correctly, the ASA redirects you to your original destination. If the destination server also has its own authentication, the user enters another username and password. If you use basic HTTP authentication and need to enter another username and password for the destination server, then you need to configure virtual HTTP (see the Configuration >Firewall > Advanced Options > Virtual Access pane).
8-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access NoteIf you use HTTP authentication, by default the username and password are sent from the client to the ASA in clear text; in addition, the username and password are sent on to the destination web server as well. See the “Enabling Secure Authentication of Web Clients” section on page 8-8 for information to secure your credentials. For FTP, a user has the option of entering the ASA username followed by an at sign (@) and then the FTP username (name1@name2). For the password, the user enters the ASA password followed by an at sign (@) and then the FTP password (password1@password2). For example, enter the following text: name> name1@name2 password> password1@password2 This feature is useful when you have cascaded firewalls that require multiple logins. You can separate several names and passwords by multiple at signs (@). AAA Prompts and Identity Firewall In an enterprise, some users log into the network by using other authentication mechanisms, such as authenticating with a web portal (cut-through proxy). For example, users with a Mac and Linux client might log into a web portal (cut-through proxy). Therefore, you must configure the identity firewall to allow these types of authentication in connection with identity-based access policies. Figure 8-1 shows a deployment to support a cut-through proxy authentication captive portal. Active Directory servers and the AD Agent are installed on the main site LAN. However, the identity firewall is configured to support authentication of clients that are not part of the Active Directory domain. Figure 8-1 Deployment Supporting Cut-through Proxy Authentication The ASA designates users logging in through a web portal (cut-through proxy) as belonging to the Active Directory domain with which they authenticated. The ASA reports users logging in through a web portal (cut-through proxy) to the AD Agent, which distributes the user information to all registered ASA devices. In this case, the identity firewall can associate the users with their Active Directory domain. Specifically, the user identity-IP address mappings of authenticated users are forwarded to all ASA contexts that contain the input interface where packets are received and authenticated. Users can log in by using HTTP/HTTPS, FTP, Telnet, or SSH. When users log in with these authentication methods, the following guidelines apply: For HTTP/HTTPS traffic, an authentication window appears for unauthenticated users. Inside Enterprise 334548 ASA AD Servers AD Agent mktg.sample.com 10.1.1.2 WMILDAP RADIUS AD Agent WAN / LAN HTTP/HTTPS Windows Clients (Domain Members) Non-domain Member Clients
8-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access For Telnet and FTP traffic, users must log in through the cut-through proxy server and again to the Telnet and FTP servers. A user can specify an Active Directory domain while providing login credentials (in the format, domain\username). The ASA automatically selects the associated AAA server group for the specified domain. If a user specifies an Active Directory domain while providing login credentials (in the format, domain\username), the ASA parses the domain and uses it to select an authentication server from the AAA servers that have been configured for the identity firewall. Only the username is passed to the AAA server. If the backslash (\) delimiter is not found in the login credentials, the ASA does not parse the domain and authentication is conducted with the AAA server that corresponds to the default domain configured for the identity firewall. If a default domain or a server group is not configured for that default domain, the ASA rejects the authentication. If the domain is not specified, the ASA selects the AAA server group for the default domain that is configured for the identity firewall. AAA Rules as a Backup Authentication Method An authentication rule (also known as “cut-through proxy”) controls network access based on the user. Because this function is very similar to an access rule plus an identity firewall, AAA rules can now be used as a backup method of authentication if a user AD login expires or a valid user has not yet logged into AD. For example, for any user without a valid login, you can trigger a AAA rule. To ensure that the AAA rule is only triggered for users that do not have valid logins, you can specify special usernames in the extended ACL that are used for the access rule and for the AAA rule: None (users without a valid login) and Any (users with a valid login). In the access rule, configure your policy as usual for users and groups, but then include a rule that permits all None users before deny any any; you must permit these users so they can later trigger a AAA rule. Then, configure a AAA rule that does not match Any users (these users are not subject to the AAA rule, and were handled already by the access rule), but matches all None users only to trigger AAA authentication for these users. After the user has successfully logged in via cut-through proxy, the traffic will flow normally again. Static PAT and HTTP For HTTP authentication, the ASA checks real ports when static PAT is configured. If it detects traffic destined for real port 80, regardless of the mapped port, the ASA intercepts the HTTP connection and enforces authentication. For example, assume that outside TCP port 889 is translated to port 80 and that any relevant ACLs permit the traffic: object network obj-192.168.123.10-01 host 192.168.123.10 nat (inside,outside) static 10.48.66.155 service tcp 80 889 Then when users try to access 10.48.66.155 on port 889, the ASA intercepts the traffic and enforces HTTP authentication. Users see the HTTP authentication page in their web browsers before the ASA allows HTTP connection to complete. If the local port is different than port 80, as in the following example: object network obj-192.168.123.10-02 host 192.168.123.10
8-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access nat (inside,outside) static 10.48.66.155 service tcp 111 889 Then users do not see the authentication page. Instead, the ASA sends an error message to the web browser, indicating that the user must be authenticated before using the requested service. When a mapped address is used for static PAT, it is automatically placed into the dynamic PAT pool. For instance, this configuration, object network my-ftp-server host nat (inside,outside) static ftp ftp is equivalent to object network my-ftp-server host nat (inside,outside) static ftp ftp object network nat (inside,outside) dynamic The second line ensures that all PAT bindings are accounted for.This accounting is necessary to avoid connection failure from port collision. As the the mapped address is placed under dynamic PAT, any additional service that is to be accessed through the mapped address, must also be explicitly configured. For example, the following is the correct configuration for three services through address 192.150.49.10. Additionally, the SMTP and HTTP services also reside at a host with the same address as the mapped address, 192.150.49.10. object network my-ftp-server host nat (inside,outside) static ftp ftp object network my-ftp-server host 192.150.49.10 nat (inside,outside) static 192.150.49.10 smtp smtp object network my-ftp-server host 192.150.49.10 nat (inside,outside) static 192.150.49.10 http http Configuring Network Access Authentication To configure network access authentication, perform the following steps: Step 1In the Configuration > Firewall > AAA Rules pane, choose Add > Add Authentication Rule. The Add Authentication Rule dialog box appears. Step 2In the Interface drop-down list, choose the interface for applying the rule. TipIn the Action field, click one of the following, depending on the implementation: Authenticate Do not Authenticate
8-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Step 3In the AAA Server Group drop-down list, choose a server group. To add a AAA server to the server group, click Add Server. If you chose LOCAL for the AAA server group, you can optionally add a new user by clicking Add User. See the “Adding a User Account to the Local Database” section on page 33-4 in the general operations configuration guide for more information. Step 4In the Source field, add the source IP address, or click the ellipsis (...) to choose an IP address already defined in ASDM. Step 5In the Destination field, enter the destination IP address, or click the ellipsis (...) to choose an IP address already defined in ASDM. Step 6In the Service field, enter an IP service name or number for the destination service, or click the ellipsis (...) to choose a service. Step 7(Optional) In the Description field, enter a description. Step 8(Optional) Click More Options to do any of the following: To specify a source service for TCP or UDP, enter a TCP or UDP service in the Source Service field. The destination service and source service must be the same. Copy and paste the destination Service field to the Source Service field. To make the rule inactive, clear the Enable Rule check box. You may not want to remove a rule, but instead turn it off. To set a time range for the rule, In the Time Range drop-down list, choose an existing time range. To add a new time range, click the ellipsis (...). For more information, see the “Configuring Time Ranges” section on page 20-26 in the general operations configuration guide. Step 9Click OK. The Add Authentication Rule dialog box closes and the rule appears in the AAA Rules table. Step 10Click Apply. The changes are saved to the running configuration. For more information about authentication, see the “Information About Authentication” section on page 8-2. Enabling the Redirection Method of Authentication for HTTP and HTTPS This method of authentication enables HTTP(S) listening ports to authenticate network users. When you enable a listening port, the ASA serves an authentication page for direct connections and, by enabling redirection, for through traffic. This method also prevents the authentication credentials from continuing to the destination server. See the “ASA Authentication Prompts” section on page 8-3 for more information about the redirection method compared to the basic method. To enable a AAA listener, perform the following steps: Step 1In the Configuration > Firewall > AAA Rules pane, click Advanced. The AAA Rules Advanced Options dialog box appears. Step 2Under Interactive Authentication, click Add. The Add Interactive Authentication Entry dialog box appears.
8-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access Step 3For the Protocol, choose either HTTP or HTTPS. You can enable both by repeating this procedure and creating two separate rules. Step 4In the Interface drop-down list, choose the interface on which you want to enable the listener. Step 5In the Port drop-down list, choose the port or enter a number. This is the port that the ASA listens on for direct or redirected traffic; the defaults are 80 (HTTP) and 443 (HTTPS). You can use any port number and retain the same functionality, but be sure your direct authentication users know the port number; redirected traffic is sent to the correct port number automatically, but direct authenticators must specify the port number manually. Step 6(Optional) Check Redirect network users for authentication request. This option redirects through traffic to an authentication web page served by the ASA. Without this option, only traffic directed to the ASA interface can access the authentication web pages. NoteIf you enable the redirect option, you cannot also configure static PAT for the same interface where you translate the interface IP address and the same port that is used for the listener; NAT succeeds, but authentication fails. Step 7Click OK, and then click OK again to close the AAA Rules Advanced Options dialog box. Step 8Click Apply. The changes are saved to the running configuration. Enabling Secure Authentication of Web Clients If you use HTTP authentication, by default the username and password are sent from the client to the ASA in clear text; in addition, the username and password are sent to the destination web server as well. The ASA provides the following methods for securing HTTP authentication: Enable the redirection method of authentication for HTTP—See the “Enabling the Redirection Method of Authentication for HTTP and HTTPS” section on page 8-7. This method prevents the authentication credentials from continuing to the destination server. See the “ASA Authentication Prompts” section on page 8-3 for more information about the redirection method compared to the basic method. Enable virtual HTTP— Virtual HTTP lets you authenticate separately with the ASA and with the HTTP server. Even if the HTTP server does not need a second authentication, this command achieves the effect of stripping the basic authentication credentials from the HTTP GET request. See the “Authenticating HTTP(S) Connections with a Virtual Server” section on page 8-9 for more information. Enable the exchange of usernames and passwords between a web client and the ASA with HTTPS—To enable the exchange of usernames and passwords between a web client and the ASA with HTTPS, perform the following steps: a.In the Configuration > Firewall > AAA Rules pane, click Advanced. The AAA Rules Advanced Options dialog box appears. b.Under Secure HTTP, click Enable Secure HTTP. c.Click OK, and then click OK again to close the AAA Rules Advanced Options dialog box. d.Click Apply.
8-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access This is the only method that protects credentials between the client and the ASA, as well as between the ASA and the destination server. You can use this method alone, or in conjunction with either of the other methods so you can maximize your security. After enabling this feature, when a user requires authentication when using HTTP, the ASA redirects the HTTP user to an HTTPS prompt. After you authenticate correctly, the ASA redirects you to the original HTTP URL. Secured, web-client authentication has the following limitations: –A maximum of 64 concurrent HTTPS authentication sessions are allowed. If all 64 HTTPS authentication processes are running, a new connection requiring authentication will not succeed. –When the uauth timeout is set to unlimited, HTTPS authentication might not work. If a browser initiates multiple TCP connections to load a web page after HTTPS authentication, the first connection is let through, but the subsequent connections trigger authentication. As a result, users are continuously presented with an authentication page, even if the correct username and password are entered each time. To work around this, set the uauth timeout to one second (see the Configuration > Firewall > Advanced > Global Timeouts pane). However, this workaround opens a 1-second window of opportunity that might allow unauthenticated users to go through the firewall if they are coming from the same source IP address. Because HTTPS authentication occurs on the SSL port 443, users must not configure an access ruleto block traffic from the HTTP client to the HTTP server on port 443. Furthermore, if static PAT is configured for web traffic on port 80, it must also be configured for the SSL port. Authenticating Directly with the ASA If you do not want to allow HTTP, HTTPS, Telnet, or FTP through the ASA but want to authenticate other types of traffic, you can authenticate with the ASA directly using HTTP, HTTPS, or Telnet. This section includes the following topics: Authenticating HTTP(S) Connections with a Virtual Server, page 8-9 Authenticating Telnet Connections with a Virtual Server, page 8-10 Authenticating HTTP(S) Connections with a Virtual Server If you enabled the redirection method of HTTP and HTTPS authentication in the “Configuring Network Access Authentication” section on page 8-6, then you have also automatically enabled direct authentication. When you use HTTP authentication on the ASA (see the“Configuring Network Access Authentication” section on page 8-6), the ASA uses basic HTTP authentication by default. You can change the authentication method so that the ASA redirects HTTP connections to web pages generated by the ASA itself using the “Enabling the Redirection Method of Authentication for HTTP and HTTPS” section on page 8-7. However, if you continue to use basic HTTP authentication, then you might need the virtual HTTP server when you have cascading HTTP authentications. If the destination HTTP server requires authentication in addition to the ASA, then virtual HTTP lets you authenticate separately with the ASA (via a AAA server) and with the HTTP server. Without virtual HTTP, the same username and password that you used to authenticate with the ASA is sent to the HTTP
8-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 8 Configuring AAA Rules for Network Access Configuring Authentication for Network Access server; you are not prompted separately for the HTTP server username and password. Assuming the username and password are not the same for the AAA and HTTP servers, then the HTTP authentication fails. This feature redirects all HTTP connections that require AAA authentication to the virtual HTTP server on the ASA. The ASA prompts for the AAA server username and password. After the AAA server authenticates the user, the ASA redirects the HTTP connection back to the original server, but it does not include the AAA server username and password. Because the username and password are not included in the HTTP packet, the HTTP server prompts the user separately for the HTTP server username and password. For inbound users (from lower security to higher security), you must also include the virtual HTTP address as a destination interface in the access rule applied to the source interface. Moreover, you must add a static NAT rule for the virtual HTTP IP address, even if NAT is not required. An identity NAT rule is typically used (where you translate the address to itself). For outbound users, there is an explicit permit for traffic, but if you apply an access rule to an inside interface, be sure to allow access to the virtual HTTP address. A static NAT rule is not required. NoteDo not set the uauth timeout duration to 0 seconds when using virtual HTTP, because this setting prevents HTTP connections to the real web server. See the “Configuring Global Timeouts” section on page 22-9. You can authenticate directly with the ASA at the following URLs when you enable AAA for the interface: http://interface_ip[:port]/netaccess/connstatus.html https://interface_ip[:port]/netaccess/connstatus.html To allow users to authenticate with the ASA virtual server separately from the HTTP server, perform the following steps: Step 1In the Configuration > Firewall > Advanced > Virtual Access > Virtual HTTP Server area, check the Enable check box. Step 2In the Virtual HTTP Server field, add the IP address of the virtual HTTP server. Make sure this address is an unused address that is routed to the ASA. For example, if you perform NAT for inside addresses accessing an outside server, and you want to provide outside access to the virtual HTTP server, you can use one of the global NAT addresses for the virtual HTTP server address. Step 3(Optional) If you are using text-based browsers, where redirection does not happen automatically, check the Display redirection warning check box. This enables an alert to notify users when the HTTP connection is being redirected. Step 4Click Apply. The virtual server is added and the changes are saved to the running configuration. Authenticating Telnet Connections with a Virtual Server Although you can configure network access authentication for any protocol or service(see the “Configuring Network Access Authentication” section on page 8-6), you can authenticate directly with HTTP, Telnet, or FTP only. A user must first authenticate with one of these services before other traffic