Chapter 17
Applying AAA for Network Access
Figure 17-1
The Cisco Systems text field shown in this example was customized using the auth-prompt command.
Note
See the
After the user enters a valid username and password, an "Authentication Successful" page appears and
closes automatically. If the user fails to enter a valid username and password, an "Authentication Failed"
page appears.
Secured web-client authentication has the following limitations:
•
A maximum of 128 concurrent HTTPS authentication sessions are allowed. If all 128 HTTPS
authentication processes are running, a new connection requiring authentication will not succeed.
When uauth timeout 0 is configured (the uauth timeout is set to 0), HTTPS authentication might
•
not work. If a browser initiates multiple TCP connections to load a web page after HTTPS
authentication, the first connection is let through, but the subsequent connections trigger
authentication. As a result, users are continuously presented with an authentication page, even if the
correct username and password are entered each time. To work around this, set the uauth timeout
to 1 second with the timeout uauth 0:0:1 command. However, this workaround opens a 1-second
window of opportunity that might allow non-authenticated users to go through the firewall if they
are coming from the same source IP address.
Because HTTPS authentication occurs on the SSL port 443, users must not configure an access-list
•
command statement to block traffic from the HTTP client to HTTP server on port 443. Furthermore,
if static PAT is configured for web traffic on port 80, it must also be configured for the SSL port. In
the following example, the first line configures static PAT for web traffic and the second line must
be added to support the HTTPS authentication configuration.
static (inside,outside) tcp 10.132.16.200 www 10.130.16.10 www
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Authentication Proxy Login Page
"Configuring Custom Login Prompts" section on page
Configuring Authentication for Network Access
17-5.
17-7