Cisco Systems ASA 5580 Manual De Usuario
7-7
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 Configuring AAA Rules for Network Access
Configuring Authentication for Network Access
Configuring Network Access Authentication
To configure network access authentication, perform the following steps:
Command
Purpose
Step 1
aaa-server
Example:
ciscoasa(config)# aaa-server AuthOutbound protocol
tacacs+
Identifies your AAA servers. If you have already
identified them, continue to the next step.
identified them, continue to the next step.
Step 2
access-list
access_list_name extended {deny |
permit
} {tcp | udp} [user_argument]
[security_group_argument] source_address_argument
[port_argument] [security_group_argument]
dest_address_argument [port_argument]
Example:
ciscoasa(config)# access-list MAIL_AUTH extended
permit tcp any any eq smtp
Creates an ACL that identifies the source addresses
and destination addresses of traffic that you want to
authenticate. The syntax shown here is just an
example. For details, see the general operations
configuration guide.
and destination addresses of traffic that you want to
authenticate. The syntax shown here is just an
example. For details, see the general operations
configuration guide.
If you specify identity firewall arguments in the
ACL, then the following keywords in the ACL are
specifically relevant to AAA rules. The keywords
user-group any and user-group none can be
specified to support cut-through proxy
authentication.
ACL, then the following keywords in the ACL are
specifically relevant to AAA rules. The keywords
user-group any and user-group none can be
specified to support cut-through proxy
authentication.
•
any—The ACL matches any IP addresses that
has already been associated with any users.
has already been associated with any users.
•
none—The ACL matches any IP addresses that
has not been associated with any IP address.
has not been associated with any IP address.
Step 3
aaa authentication match
acl_name interface_name
server_group [user-identity]
Example:
ciscoasa(config)# aaa authentication match MAIL_AUTH
inside AuthOutbound
Configures authentication.
The acl_name argument is the name of the ACL that
you created in
you created in
. The interface_name argument
is the name of the interface specified with the
nameif command. The server_group argument is the
AAA server group that you created in
nameif command. The server_group argument is the
AAA server group that you created in
Note
You can alternatively use the aaa
authentication include command (which
identifies traffic within the command).
However, you cannot use both methods in
the same configuration. See the command
reference for more information.
authentication include command (which
identifies traffic within the command).
However, you cannot use both methods in
the same configuration. See the command
reference for more information.
The user-identity keyword matches authentication
to the identity firewall.
to the identity firewall.