User Authentication for Web Server Access
Imagine the following scenario: We have a web server on a DMZ protected by a Cisco ASA 5500 firewall. We would like to allow external Internet users to access this web server only after they successfully authenticate with a username/password credential. Maybe this scenario could be applicable in situations where we need to allow employees to access a corporate intranet web server when they are away from the office. The username/password accounts for the users could be stored either locally on the ASA firewall (not very scalable) or on an internal AAA (Authentication) Server, such as the Cisco Access Control Server (ACS). Let’s see an example diagram below to make things clear:
Configuration Example:
! Specify a AAA server name (AAA_SRV) and which protocol to use (Radius or TACACS+)
CISCO-ASA(config)# aaa-server AAA_SRV protocol tacacs+
! Designate the Authentication server IP address and the authentication secret key
CISCO-ASA(config)# aaa-server AAA_SRV (inside) host 10.0.0.1
CISCO-ASA(config-aaa-server-host)# key authentication-secret-key
! The following ACL specifies for which traffic flow the firewall will enforce authentication
CISCO-ASA(config)# access-list 120 permit tcp any host 20.20.20.1 eq www
! Enable web server user authentication by matching the ACL configured above
CISCO-ASA(config)# aaa authentication match 120 outside AAA_SRV
! The last statement above will authenticate traffic on the “outside” interface using
! server AAA_SRV only if this traffic matches Access List 120
No comments:
Post a Comment