Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 3.1
aaa accounting through accounting-server-group

Table Of Contents

aaa accounting through accounting-server-group Commands

aaa accounting

aaa accounting command

aaa accounting console

aaa accounting match

aaa authentication challenge disable

aaa authentication console

aaa authentication include, exclude

aaa authentication match

aaa authentication secure-http-client

aaa authorization command

aaa authorization include, exclude

aaa authorization match

aaa local authentication attempts max-fail

aaa mac-exempt

aaa proxy-limit

aaa-server host

aaa-server protocol

absolute

accept-subordinates

access-group

access-list alert-interval

access-list commit

access-list deny-flow-max

access-list ethertype

access-list extended

access-list mode

access-list remark

access-list standard

accounting-mode

accounting-port

accounting-server-group


aaa accounting through accounting-server-group Commands


aaa accounting

To enable, disable, or view TACACS+, or RADIUS user accounting (on a server designated by the aaa-server host command), use the aaa accounting command in global configuration mode. To disable these functions use the no form of this command.

aaa accounting {include | exclude} service  interface-name local-ip local-mask foreign-ip foreign-mask server-tag

no aaa accounting {include | exclude} service  interface-name local-ip local-mask foreign-ip foreign-mask server-tag

aaa accounting {include | exclude} service  interface-name server-tag

no aaa accounting {include | exclude} service  interface-name server-tag

Syntax Description

exclude

Create an exception to a previously stated rule by excluding the specified service from accounting. The exclude parameter allows the user to specify a service or protocol/port to exclude to a specific host or hosts.

foreign-ip

Specify the IP address of the hosts you want to access the local-ip address. Use 0 to mean all hosts. the foreign-ip address is always on the lowest security-level interface.

foreign-mask

Specify the network mask of foreign-ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.

interface-name

Specify the interface name from which users require authentication. Use interface-name in combination with the local-ip address and the foreign-ip address to determine where access is sought and from whom.

include

Create a new rule with the specified service to include.

local-ip

Specify the IP address of the host or network of hosts that you want to be authenticated or authorized. Set this address to 0 to mean all hosts and to let the authentication server decide which hosts are allowed access. The local-ip address is always on the highest security-level interface.

local-mask

Specify the network mask of local-ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.

server-tag

Specify the AAA server group tag defined by the aaa-server host command.

service

The services/access method that should be accounted for. Accounting is provided for all services, or you can limit it to one or more services. Possible values are enable, http, ssh, telnet, or protocol/port. Use enable to provide accounting for all TCP services. To provide accounting for UDP services, use the protocol/port form.


Defaults

For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used.

By default, AAA accounting for administrative access is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced on the FWSM.


Usage Guidelines

User accounting services keep a record of which network services a user has accessed. These records are kept on the designated AAA server or servers. Accounting information is sent only to the active server in a server group unless you enable simultaneous accounting.

Before you can use this command, you must first designate an AAA server with the aaa-server command.

To enable accounting for traffic that is specified by an access list, use the aaa accounting match command.


Note Traffic that is not specified by an include statement is not processed.


For outbound connections, first use the nat command to determine which IP addresses can access the FWSM. For inbound connections, first use the static and access-list extended command statements to determine which inside IP addresses can be accessed through the FWSM from the outside network.

If you want to allow connections to come from any host, code the local IP address and netmask as 0.0.0.0 0.0.0.0, or 0 0. The same convention applies to the foreign host IP address and netmask; 0.0.0.0 0.0.0.0 means any foreign host.

Examples

The following example enables accounting on all connections:

hostname(config)# aaa-server mygroup protocol tacacs+
hostname(config)# aaa-server mygroup (inside) host 192.168.10.10 thekey timeout 20
hostname(config)# aaa authentication include any inside 0 0 0 0 mygroup
hostname(config)# aaa authorization include any inside 0 0 0 0 mygroup
hostname(config)# aaa accounting include any inside 0 0 0 0 mygroup
hostname(config)# aaa authentication ssh console mygroup

This example specifies that the authentication server with the IP address 192.168.10.10 resides on the inside interface and is in the TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that SSH access to the FWSM console requires authentication from the TACACS+ server.

Related Commands

Command
Description

aaa accounting match

Enable or disable the use of a specified access list that must be matched to enable user accounting (on a server designated by the aaa-server command).

aaa accounting command

Enable support for AAA accounting administrative access.

aaa-server host

Configure host-related attributes.

clear configure aaa

Remove/reset the configured AAA accounting values.

show running-config aaa

Display the AAA configuration.


aaa accounting command

To configure command accounting so that the FWSM sends to the accounting server each command entered by an administrator, use the aaa accounting command command in global configuration mode. To disable support for AAA command privilege accounting, use the no form of this command. The aaa accounting command command indicates the minimum level that must be associated with a command for an accounting record to be generated.

aaa accounting command [ privilege level ] server-tag

no aaa accounting command [ privilege level ] server-tag

Syntax Description

server-tag

The server or group of TACACS+ servers to which accounting records are sent.

privilege level

The minimum level that must be associated with a command for an accounting record to be generated. The default privilege level is 0.


Defaults

The default privilege level is 0. By default, AAA command-privilege accounting for administrative access is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

When you configure the aaa accounting command command, each command entered by an administrator/user is recorded and sent to the accounting server or servers. The optional privilege specification indicates the minimum privilege level that must be associated with a command for an accounting record to be generated.

This command applies only to TACACS+ servers.

You must specify the name of the server or group, previously specified in an aaa-server command, to which this command applies.

Examples

The following example specifies that accounting records will be generated for any command at privilege level 6 or higher, and that these records are sent to the server from the group named adminserver.

hostname(config)# aaa accounting command privilege 6 adminserver

Related Commands

Command
Description

aaa accounting

Enables or disables TACACS+ or RADIUS user accounting (on a server designated by the aaa-server command).

clear configure aaa

Remove/reset the configured AAA accounting values.

show running-config aaa

Display the AAA configuration.


aaa accounting console

To enable support for AAA accounting for administrative access, use the aaa accounting console command in global configuration mode. To disable support for accounting for administrative access, use the no form of this command.

aaa accounting {telnet | ssh | enable} console server-tag

no aaa accounting {telnet | ssh | enable} console server-tag

Syntax Description

enable

Enables or disables the generation of accounting records to mark the entry to and exit from privileged EXEC mode.

server-tag

Specifies the server or group of servers to which accounting records are sent. Valid server group protocols are RADIUS and TACACS+.

ssh

Enables or disables the generation of accounting records to mark the establishment and termination of admin sessions created over SSH. 

telnet

Enables or disables the generation of accounting records to mark the establishment and termination of admin sessions created over Telnet.


Defaults

By default, AAA accounting for administrative access is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced on the FWSM.

2.2(1)

This command was modified to support fallback to LOCAL.


Usage Guidelines

You must specify the name of the server group, previously specified in an aaa-server command.

Examples

The following example specifies that accounting records will be generated for all Telnet transactions, and that these records are sent to the server named adminserver.

hostname(config)# aaa accounting telnet console adminserver

Related Commands

Command
Description

aaa accounting match

Enables or disables TACACS+ or RADIUS user accounting.

aaa accounting command

Specifies that each command, or commands of a specified privilege level or higher, entered by an administrator/user is recorded and sent to the accounting server or servers.

clear configure aaa

Remove/reset the configured AAA accounting values.

show running-config aaa

Display the AAA configuration.


aaa accounting match

To enable accounting for traffic that is identified by an access list, use the aaa accounting match command in global configuration mode. To disable accounting for traffic that is identified by an access list, use the no form of this command. The aaa accounting match command specifies an access list name that must be matched, as well as an interface name and a server tag.

aaa accounting match acl-name  interface-name server-tag

no aaa accounting match acl-name  interface-name server-tag

Syntax Description

acl-name

Specify an access-list name to match.

interface-name

Specify the interface name from which users require accounting.

server-tag

Specify the AAA server group tag defined by the aaa-server command.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced on the FWSM.


Usage Guidelines

The acl-name is defined by the access-list command.

In an ACL, permit = perform accounting and deny = do not perform accounting.

The AAA server group tag is defined by the aaa-server command. Before you can use this command, you must first designate an AAA server with the aaa-server command.

User accounting services keep a record of which network services a user has accessed. These records are kept on the designated AAA server or servers. Accounting information is sent only to the active server in a server group unless simultaneous accounting is enabled. The aaa accounting match command requires that a user specify an ACL name that must be matched before the accounting action can take place.

The ACL name can be either a number or an alphanumeric name.

Examples

The following example enables accounting for traffic matching a specific ACL, acl2, followed by the output of the show access-list command that displays the access list:

hostname(config) # aaa accounting match acl2 outside radserver1
hostname(config) # show access-list acl12
access-list acl12; 1 elements
access-list acl12 line 1 extended permit tcp any any (hitcnt=54021)

Related Commands

Command
Description

aaa accounting

Enable, disable, or view TACACS+ or RADIUS user accounting (on a server designated by the aaa-server command).

access-list extended

Create an access list or use a downloadable access list.

clear configure aaa

Remove/reset the configured AAA accounting values.

show running-config aaa

Display the AAA configuration.


aaa authentication challenge disable

To disable authentication challenge for FTP, Telnet, HTTP, or HTTPS, use the aaa authentication challenge disable command in global configuration mode. To reset the FWSM to default authentication, use the no form of this command.

aaa authentication {ftp | telnet | http | https } challenge disable

no aaa authentication {ftp | telnet | http | https } challenge disable

Syntax Description

ftp

Disables the authentication challenge for FTP connections.

http

Disables the authentication challenge for HTTP connections.

https

Disables the authentication challenge for HTTPS connections.

telnet

Disables the authentication challenge for Telnet connections.


Defaults

By default, if you enable authentication using the aaa authentication match or aaa authentication [include | exclude] commands, authentication challenge is enabled for FTP, Telnet, HTTP, and HTTPS.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

You can configure whether the FWSM challenges users for a username and password. By default, the FWSM prompts the user when a AAA rule enforces authentication for traffic in a new session and the protocol of the traffic is FTP, Telnet, HTTP, or HTTPS. In some cases, you may want to disable the authentication challenge for one or more of these protocols. You can use the aaa authentication challenge command to do so.

If you disable challenge authentication for a particular protocol, traffic using that protocol is allowed only if the traffic belongs to a session previously authenticated. This authentication can be accomplished by traffic using a protocol whose authentication challenge remains enabled. For example, if you disable challenge authentication for FTP, the FWSM denies a new session using FTP if the traffic is included in an authentication rule. If the user establishes the session with a protocol whose authentication challenge is enabled (such as HTTP), FTP traffic is allowed.

Examples

The following example permits inbound access to a TCP IP address in the range of 209.165.201.1 through 209.165.201.30 indicated by the 209.165.201.0 network address (subnet mask 255.255.255.224). All services are permitted by the access-list command, and the aaa authentication command requires authentication. The authentication server is at IP address 10.16.1.20 on the inside interface. The final command disables challenge authentication for FTP, which means that users whose sessions are identifed by the aaa authentication include command must be authenticated by Telnet, HTTP, or HTTPS, and not by FTP.

hostname(config)# aaa-server AuthIn protocol tacacs+
hostname(config)# aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20
hostname(config)# access-list acl-out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 
255.255.255.224
hostname(config)# access-group acl-out in interface outside
hostname(config)# aaa authentication include tcp inside 0 0 0 0 AuthIn
hostname(config)# aaa authentication ftp challenge disable

Related Commands

Command
Description

aaa authentication

Enables or disables authentication by including or excluding traffic.

aaa authentication match

Specifies the name of an access list, previously defined in an access-list command, that must be matched, and then provides authentication for that match.

aaa authentication secure-http-client

Provides a secure method for user authentication to the FWSM prior to allowing HTTP requests to traverse the FWSM.

aaa-server protocol

Configures group-related server attributes.

aaa-server host

Configures host-related attributes.


aaa authentication console

To do any of the following, use the aaa authentication console command in global configuration mode:

Enable authentication service for access to the FWSM console over an SSH, HTTP, or Telnet connection.

Enable access to privileged mode, use the aaa authentication console command in global configuration mode.

Configure administrative authentication to support fallback to a list of specified server groups or to the local database.

To disable this authentication service, use the no form of this command.

aaa authentication {enable | telnet | ssh | http} console server-tag [LOCAL]

no aaa authentication {enable | telnet | ssh | http} console server-tag [LOCAL]

Syntax Description

console

Specifies that access to the console requires authentication.

enable

Enables or disables authentication on entry to privileged mode. Valid server group protocols are LOCAL, RADIUS, and TACACS+.

http

Enables or disables authentication of admin sessions over HTTP. Valid server group protocols are LOCAL, RADIUS, and TACACS+.

LOCAL

The keyword LOCAL has two uses. It can designate the use of a local authentication server, or it can specify fallback to the local database if the designated authentication server is unavailable.

server-tag

The AAA server group tag defined by the aaa-server command.

You can also use the local FWSM user authentication database by specifying the server group tag LOCAL. If LOCAL is specified for server-tag and the local user credential database is empty, the following warning message appears:

Warning:local database is empty! Use 'username' command to define 
local users.

Conversely, if the local database becomes empty when LOCAL is still present in the command, the following warning message appears:

Warning:Local user database is empty and there are still commands 
using 'LOCAL' for authentication.

ssh

Enables or disables authentication of admin sessions over SSH. Valid server group protocols are LOCAL, RADIUS, and TACACS+.

telnet

Enables or disables authentication of admin sessions over Telnet. Valid server group protocols are LOCAL, RADIUS, and TACACS+.


Defaults

By default, fallback to the local database is disabled.

If a aaa authentication http console server-tag command statement is not defined, you can gain access to the FWSM (via ASDM) with no username and the FWSM enable password (set with the password command). If the aaa commands are defined, but the HTTP authentication requests a time out, which implies the AAA servers might be down or not available, you can gain access to the FWSM using the default administrator username and the enable password. By default, the enable password is not set.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.

2.2(1)

This command was modified to support fallback to LOCAL.


Usage Guidelines

The aaa authentication console command enables or disables authentication on entry to privileged mode, lets you require authentication verification to access the FWSM via the specified type of connection, or supports administrative authentication fallback.

Telnet access requires previous use of the telnet command. SSH access requires previous use of the ssh command.

Using the aaa authentication console command requires that you have previously used the aaa-server command to designate an authentication server, unless you have specified LOCAL as the server-group protocol. The aaa authentication console command supports RADIUS and TACACS+ groups.

Except as noted in "Defaults," if you are using HTTP authentication, the FWSM requires authentication verification of the HTTP server through the aaa authentication http console command.

When an administrator requests an action that requires authentication, the FWSM initiates an authentication session with servers from the server group specified. If the system is unable to communicate with any server from this group.

To configure administrative authentication to support fallback to the local user database if all servers in the specified server group are unavailable, use the aaa authentication command with the LOCAL option specified. This feature is disabled by default.

The maximum username prompt for HTTP authentication is 30 characters. The maximum password length is 16 characters.

As the following table shows, the action of the prompts for authenticated access to the FWSM console differ, depending on the option you choose with the aaa authentication console command.

Option
Number of Login Attempts Allowed

enable

3 tries before access is denied

ssh

3 tries before access is denied

telnet

Continual until success

http

Continual until success


The ssh option specifies the group of AAA servers to be used for SSH user authentication. The authentication protocol and AAA server IP addresses are defined with the aaa-server command statement.

Similar to the Telnet model, if a aaa authentication ssh console server-tag command statement is not defined, you can gain access to the FWSM console with the username pix and with the FWSM Telnet password (set with the passwd command). If the aaa command is defined, but the SSH authentication requests time out (which implies the AAA servers may be down or not available), you can gain access to the FWSM using administrator username and the enable password (set with the enable password command). By default, the Telnet password is cisco and the enable password is not set.

The prompts users see requesting AAA credentials differ among the services that can access the FWSM for authentication: Telnet, FTP, HTTP, and HTTPS:

Telnet users see a prompt, generated by the FWSM, that you can change with the auth-prompt command. The FWSM does not limits the number of login attempts.

FTP users receive a prompt from the FTP program. If a user enters an incorrect password, the connection is dropped immediately. If the username or password on the authentication database differs from the username or password on the remote host that you are using FTP to access, enter the username and password in these formats:

authentication-user-name@remote-system-user-name
authentication-password@remote-system-password

If you daisy-chain FWSMs, Telnet authentication works in the same way as a single unit, but FTP and HTTP users must enter each password and username with an additional "at" (@) character and password or username for each daisy-chained system. Users can exceed the 63-character password limit, depending on how many units are daisy-chained and password length.

Some FTP graphical user interfaces (GUIs) do not display challenge values.

HTTP users see a pop-up window generated by the browser itself if aaa authentication secure-http-client is not configured. If aaa authentication secure-http-client is configured, a form loads in the browser to collect username and password. In either case, if a user enters an incorrect password, the user is reprompted. When the web server and the authentication server are on different hosts, use the virtual command to get the correct authentication behavior.

The FWSM accepts only 7-bit characters during authentication. After authentication, the client and server can negotiate for 8 bits, if required. During authentication, the FWSM negotiates only Go-Ahead, Echo, and NVT (network virtual terminal).

HTTP Authentication

When using HTTP authentication to a site running Microsoft IIS that has "Basic text authentication" or "NT Challenge" enabled, users might be denied access from the Microsoft IIS server. This occurs because the browser appends the string: "Authorization: Basic=Uuhjksdkfhk==" to the HTTP GET commands. This string contains the FWSM authentication credentials.

Microsoft Internet Information Service (IIS) servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the FWSM username-password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.

To solve this problem, the FWSM provides the virtual http command, which redirects the initial connection of the browser to another IP address, authenticates the user, then redirects the browser back to the URL that the user originally requested.

Once authenticated, a user never has to reauthenticate, no matter how low the FWSM uauth timeout is set, because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can be cleared only when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use.

As long as the user repeatedly browses the Internet, the browser resends the "Authorization: Basic=Uuhjksdkfhk==" string to transparently reauthenticate the user.

Multimedia applications such as CU-SeeMe, Intel Internet Phone, MeetingPoint, and MS NetMeeting silently start the HTTP service before an H.323 session is established from the inside to the outside.

Network browsers such as Netscape Navigator do not present a challenge value during authentication; therefore, only password authentication can be used from a network browser.


Note To avoid interfering with these applications, do not enter blanket outgoing aaa command statements for all challenged ports, such as using the any option. Be selective about which ports and addresses you use to challenge HTTP and when to set user authentication timeouts to a higher timeout value. If interfered with, the multimedia programs might fail on the PC and might even cause the PC to fail after establishing outgoing sessions from the inside.


TACACS+ and RADIUS servers

You can have up to 15 single-mode groups or 4 multi-mode groups. Each group can have up to 16 servers in single mode or 4 servers in multi-mode. The servers can be either TACACS+ or RADIUS servers. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.

For the TACACS+ server, if you do not specify a key to the aaa-server command, no encryption occurs.

The FWSM displays the same timeout message for both RADIUS and TACACS+. The message "aaa server host machine not responding" displays when either of the following occurs:

The AAA server system is down.

The AAA server system is up, but the service is not running.

Examples

The following examples show the use of the aaa authentication console command.

Example 1:

The following example shows use of the aaa authentication console command for a Telnet connection to a RADIUS server with the server tag "radius":

hostname(config)# aaa authentication telnet console radius

Example 2:

The following example identifies the server group "AuthIn" for administrative authentication.

hostname(config)# aaa authentication enable console AuthIn

Example 3:

The following example shows use of the aaa authentication console command with fallback to the LOCAL user database if all the servers in the group "svrgrp1" fail:

hostname(config)# aaa-server svrgrp1 protocol tacacs
hostname(config)# aaa authentication ssh console svrgrp1 LOCAL

Related Commands

Command
Description

aaa authentication

Enables or disables user authentication.

aaa-server host

Specifies the AAA server to use for user authentication.

clear configure aaa

Remove/reset the configured AAA accounting values.

show running-config aaa

Display the AAA configuration.


aaa authentication include, exclude

To include or exclude user authentication for traffic through the FWSM, use the aaa authentication include or exclude command in global configuration mode. To disable user authentication, use the no form of this command.

aaa authentication include | exclude authentication-service  interface-name local-ip local-mask [foreign-ip foreign-mask] server-tag

no aaa authentication include | exclude authentication-service  interface-name local-ip local-mask [foreign-ip foreign-mask] server-tag

Syntax Description

authentication-service

The type of traffic to include or exclude from authentication, based on the service option selected.

exclude

Creates an exception to a previously stated rule by excluding the specified service from authentication. The exclude parameter improves the former except option by allowing the user to specify a port to exclude to a specific host or hosts.

foreign-ip

(Optional) IP address of the foreign host that is either the source or destination for connections requiring authentication; 0 indicates all hosts.

foreign-mask

(Optional) The network mask of foreign-ip.

include

Creates a new rule with the specified service to include.

interface-name

The interface name from which users require authentication.

local-ip

The IP address of the local/internal host or network of hosts that is either the source or destination for connections requiring authentication. You can set this address to 0 to mean all hosts and to let the authentication server decide which hosts are authenticated.

local-mask

The network mask of local-ip.

server-tag

The AAA server group tag defined by the aaa-server command.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced on the FWSM.


Usage Guidelines

Authentication lets you control access by requiring a valid username and password. You can configure the FWSM to authenticate the following items:

All administrative connections to the FWSM including the following sessions:

Telnet

SSH

ASDM (using HTTPS)

VPN management access

The enable command

Network access through the FWSM

Each authentication server has a single pool of users. If you use the same server for multiple authentication rules and types, then a user needs to authenticate only one time for all rules and types, until the session expires. For example, if you configure the FWSM to authenticate Telnet and FTP, and a user successfully authenticates for Telnet, then as long as the session exists, the user does not also have to authenticate for FTP.

To include or exclude traffic for authentication, you must designate an authentication server with the aaa-server command before using the aaa authentication command. Each combination of local and foreign IP addresses can have one aaa authentication command for inbound connections and one for outbound connections. A session whose IP address is identified by the aaa-server authentication command starts a connection through FTP, Telnet, HTTP, or HTTPS and is prompted for a username and password. If the username and password are verified by the designated authentication server, the FWSM allows further traffic between the authenticating host and the client address.

Use the interface-name, local-ip, and foreign-ip variables to define where access is sought and from whom. The address for local-ip is always on the highest security level interface and foreign-ip is always on the lowest.


Note You cannot use the aaa authentication include or exclude command between same-security interfaces. For that scenario, you must use the aaa authentication match command.


You cannot use aaa include or exclude commands in the same configuration as aaa match commands.

For the local and foreign IP address masks, you can use 0 as a shorthand representation if the IP address is 0.0.0.0. Use 255.255.255.255 for a host.

The authentication servers determine whether a user can or cannot access the system, what services can be accessed, and what IP addresses the user can access. The FWSM proxies FTP, HTTP, HTTPS, and Telnet to display the credentials prompts.


Note When a cut-through proxy is configured, TCP sessions (TELNET, FTP, HTTP, or HTTPS) might have their sequence numbers randomized even if the norandomseq option is used in the nat or static command. This occurs when a AAA server proxies the TCP session to authenticate the user before permitting access.


local access authentication

To configure a AAA server (TACACS+, RADIUS, or LOCAL) to authenticate administrators, choose one of the following access authentication service options: telnet for Telnet access, ssh for SSH access, http for HTTP access, and enable for enable-mode access.

cut-through authentication

For cut-through proxy and "to the box" authentication, you can also use the local FWSM user authentication database by specifying the server group tag LOCAL. If LOCAL is specified for server-tag and the local user credential database is empty, the following warning message appears:

Warning:local database is empty! Use 'username' command to define local users.

Conversely, if the local database becomes empty when LOCAL is still present in the command, the following warning message appears:

Warning:Local user database is empty and there are still commands using 'LOCAL' for 
authentication.

The cut-through authentication service options are as follows: telnet, ftp, http, https, icmp/type, proto, tcp/port, and udp/port. The variable proto can be any supported IP protocol value or name: for example, ip or igmp. Only Telnet, FTP, HTTP, or HTTPS traffic triggers interactive user authentication.

The authentication ports that the FWSM supports for AAA are fixed:

Port 21 for FTP

Port 23 for Telnet

Port 80 for HTTP

Port 443 for HTTPS

For this reason, do not use Static PAT to reassign ports for services you want to authenticate. In other words, when the port to authenticate is not one of the three known ports, the FWSM rejects the connection instead of authenticating it.

You can enter an ICMP message type number for type to include or exclude that specific ICMP message type from authentication. For example, icmp/8 includes or excludes type 8 (echo request) ICMP messages.

The tcp/0 option enables authentication for all TCP traffic, which includes FTP, HTTP, HTTPS, and Telnet. When a specific port is specified, only the traffic with a matching destination port is included or excluded for authentication. Note that FTP, Telnet, HTTP, and HTTPS are equivalent to tcp/21, tcp/23, tcp/80, and tcp/443, respectively.

If you specify ip, all IP traffic is included or excluded for authentication, depending on whether include or exclude is specified. When all IP traffic is included for authentication, following are the expected behaviors:

Before a user (source IP-based) is authenticated, an FTP, Telnet, HTTP, or HTTPS request triggers authentication, and all other IP requests are denied.

After a user is authenticated through FTP, Telnet, HTTP, HTTPS, or virtual Telnet authentication (see the virtual command), all traffic is free from authentication until the uauth timeout.

Enabling Authentication

The aaa authentication command enables or disables the following features:

User authentication services provided by a LOCAL, TACACS+, or RADIUS server are first designated with the aaa-server command. A user starting a connection via FTP, Telnet, HTTP, or HTTPS is prompted for the username and password. If the username and password are verified by the designated authentication server, the FWSM cut-through proxy feature allows further FTP, Telnet, HTTP, or HTTPS traffic between the source and destination.

Administrative authentication services providing access to the FWSM console via Telnet, SSH, or HTTP. Telnet access requires previous use of the telnet command. SSH access requires previous use of the ssh command.

The prompts users see requesting AAA credentials differ among the services that can access the FWSM for authentication.

Option
Number of Login Attempts Allowed
Notes

ftp

Incorrect password causes the connection to be dropped immediately.

FTP users receive a prompt from the FTP program. Some FTP graphical user interfaces do not display challenge values.

http

Continual reprompting until successful login.

HTTP users see a pop-up window generated by the browser itself if aaa aauthentication secure-http-client is not configured. If aaa aauthentication secure-http-client is configured, a form loads in the browser to collect username and password.

telnet

4 tries before dropping the connection.

Before the first command-line prompt of a Telnet console connection.



Note For HTTP or HTTPS, when the web server and the authentication server are on different hosts, use the virtual command to get the correct authentication behavior.


You can specify an interface name with the aaa authentication command. For example, if you specified aaa authentication include tcp outside 0 0 server-tag, the FWSM authenticates a TCP connection originating on the outside interface.


Note For HTTP or HTTPS authentication, once authenticated, a user never has to reauthenticate, no matter how low the FWSM uauth timer is set, because the browser caches the string "Basic=Uuhjksdkfhk==" in every subsequent connection to that particular site. This can be cleared only when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use.


TACACS+ and RADIUS servers

You can have up to 15 single-mode server groups or 4 multi-mode server groups. Each group can have up to 16 servers in single mode or 4 servers in multi-mode. The servers can be either TACACS+ or RADIUS servers—set with the aaa-server command. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.

The FWSM permits only one authentication type per network. For example, if one network connects through the FWSM using TACACS+ for authentication, another network connecting through the FWSM can authenticate with RADIUS, but one network cannot authenticate with both TACACS+ and RADIUS.


Note If VPN attributes are enforced by an authorization server, the FWSM does not enforce VPN attributes received from a RADIUS authentication server. For example, if the attribute-value pair "tunnel-group=VPN" is defined for RADIUS authentication and LDAP authorization, then all the VPN remote-access attributes configured on the LDAP server are enforced on the VPN remote-access tunnel. Those attributes defined by the RADIUS authentication server are ignored. This behavior affects the authentication/authorization parameters for tunnel-group.


Examples

The following examples show some uses of the aaa authentication command:

Example 1:

The following example includes for authentication TCP traffic on the outside interface, with a local IP address of 192.168.0.0 and a netmask of 255.255.0.0, with a remote/foreign IP address of all hosts, and using a server named "tacacs+". The second command line excludes Telnet traffic on the outside interface with a local address of 192.168.38.0, with a remote/foreign IP address of all hosts:

hostname(config)# aaa authentication include tcp outside 192.168.0.0 255.255.0.0 0.0.0.0 
0.0.0.0 tacacs+
hostname(config)# aaa authentication exclude telnet outside 192.168.38.0 255.255.255.0 
0.0.0.0 0.0.0.0 tacacs+

Example 2:

The following examples demonstrate ways to use the interface-name parameter. The FWSM has an inside network of 192.168.1.0, an outside network of 209.165.201.0 (subnet mask 255.255.255.224), and a perimeter network of 209.165.202.128 (subnet mask 255.255.255.224).

This example enables authentication for connections originated from the inside network to the outside network: