Sie sind auf Seite 1von 58

Authentication,

Authorization,
and Accounting

Lesson 7

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-1


Introduction

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-2


Authentication, Authorization, and
Accounting
Web
Cisco
Server
Secure ACS
Server

Internet

 Authentication
– Who you are
 Authorization
– What you can do
 Accounting
– What you did

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-3


Types of Authentication
Security Appliance
 Access to the Console Access
Security Appliance
security appliance Console Access

 Access through Internet


the security Authentication
appliance
– Cut-through Web
Server
proxy
Cut-Through
 Tunnel access Proxy

– IPsec Internet

– SSL VPN Authentication

IPsec and SSL


VPN

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-4


Types of Authorization
Security Appliance
 Console access: Console Access
Security Appliance
Specifies whether Console Access
command
execution is Internet
subject to Authentication
authorization
 Cut-through proxy:
Web
Specifies what Server
“through” services Cut-Through
are subject to Proxy
authorization
Internet
 Tunnel access:
Specifies what Authentication
“tunnel” services
are authorized IPsec and SSL
VPN

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-5


Types of Accounting
Security Appliance
 Security Console Access
Security Appliance
appliance Console Access
console access Internet
 Access through Authentication
the security
appliance Web
Server
– Cut-through
Cut-Through
proxy Proxy
 Tunnel Internet
connections
Authentication
– IPsec
IPsec and SSL
– SSL VPN VPN

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-6


Installation of Cisco
Secure ACS for
Windows 2000

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-7


Installation Wizard

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-8


Cisco Secure ACS Network
Configuration

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-9


Security Appliance Access
Authentication Configuration

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-10


Types of Security Appliance Access
Authentication
Security Appliance
Security Appliance Console Access
Console Access

Internet
Local, Authentication
RADIUS, or Server
 Authentication TACACS+
– Who you are
 Authorization
Types of security appliance
– What you can do console authentication:
 Accounting
 Telnet
– What you did
 Serial
 SSH
 Enable
 HTTP

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-11


Security Appliance Access Authentication:
Configuration Steps
ciscoasa(config)#
aaa-server server-tag protocol server-protocol
 Specifies a AAA server group

ciscoasa(config)#
aaa-server server-tag [(interface-name)] host {server-ip
| name} [key] [timeout seconds]
 Designates an authentication server

ciscoasa(config)#
aaa authentication {serial | enable | telnet | ssh |
http} console {server-tag [LOCAL] | LOCAL}
 Enables authentication for console access

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-12


Specify a AAA Server Group
Security
Appliance
Console Access
Security Appliance
Console Access
Internet
NY_ACS
TACACS+ Authentication
Server

ciscoasa(config)#

aaa-server server-tag protocol server-protocol


 Creates a AAA server group, assigns a protocol to the group, and takes you to
configuration mode for the server group

asa1(config)# aaa-server NY_ACS protocol tacacs+

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-13


AAA Server Group Subcommand

Internet
NY_ACS
Server group Authentication
attributes Server
asa1(config-aaa-server-group)# ?

aaa-server configuration commands:


accounting-mode Enter this keyword to specify accounting mode
exit Exit from aaa-server group configuration mode
max-failed-attempts Specify the maximum number of failures that will be
allowed for any server in the group before that server
is deactivated
no Remove an item from aaa-server group configuration
reactivation-mode Specify the method by which failed servers are
reactivated
asa1(config-aaa-server-group)# reactivation-mode ?

aaa-server-group mode commands/options:


depletion Failed servers will remain inactive until all other
servers in this group are inactive
timed Failed servers will be reactivated after 30 seconds of
down time
 Assigns server group attributes
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-14
Designate an Authentication Server
Security
Appliance
Console Access
Security Appliance
Console Access
Internet
NY_ACS
TACACS+ Server
10.0.0.2
ciscoasa (config)#
aaa-server server-tag [(interface-name)] host {server-ip
| name} [key] [timeout seconds]
 Identifies the AAA server for a given server tag
 Configures aaa-server subcommands

asa1(config)# aaa-server NY_ACS (inside) host 10.0.0.2


asa1(config-aaa-server-host)# key secretkey
asa1(config-aaa-server-host)# timeout 10

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-15


Authentication of Console Access
Security
Appliance
Console Access
Security Appliance
Console Access
Internet
NY_ACS
TACACS+ Server
10.0.0.2
ciscoasa (config)#
aaa authentication {serial | enable | telnet | ssh | http}
console {server-tag [LOCAL] | LOCAL}
 Defines a console access method that requires authentication
 Identifies the authentication server group name (authentication server or LOCAL)
 Enables fallback to LOCAL security appliance database

asa1(config)# aaa authentication serial console NY_ACS LOCAL


asa1(config)# aaa authentication enable console NY_ACS LOCAL
asa1(config)# aaa authentication telnet console NY_ACS LOCAL
asa1(config)# aaa authentication ssh console NY_ACS LOCAL
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-16
How to Add Users to Cisco Secure ACS

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-17


How to Add Users to the Local Database
Telnet

Internet

Authentication via
Local Database
ciscoasa (config)#
username username {nopassword | password password
[mschap | encrypted | nt-encrypted]} [privilege level]
 Creates a user account in the local database

asa1(config)# username admin1 password cisco123


asa1(config)# aaa authentication telnet console LOCAL
 Creates the user account admin1 in the local database and gives it the password
cisco123
 Specifies that the local database is to be used to authenticate telnet console access

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-18


Maximum Failed Attempts
Telnet

Internet

Authentication via
Local Database
ciscoasa(config)#
aaa local authentication attempts max-fail fail-attempts
 Specifies the maximum number of failed attempts after which a user is locked out

clear aaa local user {fail-attempts | lockout} {all |


username username}
 Clears lockout condition, or the number of failed attempts, for a user or all users

asa1(config)# aaa local authentication attempts max-fail 3


asa1 # show aaa local user
Lock-time Failed-attempts Locked User
15:34:56 3 Y admin1

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-19


Show Local Users
Telnet admin1

Internet

Authentication via
Local Database

asa1(config)# aaa authentication telnet console LOCAL


asa1 # show aaa local user
Lock-time Failed-attempts Locked User
- 2 N admin1

asa1 # show aaa-server LOCAL


Server Group: LOCAL
Server Protocol: Local database
Server Address: None
Server port: None
Server status: ACTIVE, Last transaction at 15:38:37 UTC Wed Dec 1 2005
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 1
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 1

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-20


How to Change the Authentication
Prompts
Please Authenticate
Username: asjdkl
Password:
Authentication Failed, Try Again
Please Authenticate
Username: asjfkl
Password:
You’ve Been Authenticated
ciscoasa(config)#
auth-prompt {accept | prompt | reject} string
 Defines the prompt that users see when authenticating
 Defines the message that users get when they successfully or unsuccessfully authenticate
(By default, only username and password prompts are displayed.)

asa1(config)# auth-prompt prompt Please Authenticate


asa1(config)# auth-prompt reject Authentication Failed, Try Again
asa1(config)# auth-prompt accept You’ve been Authenticated

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-21


How to Change the Authentication
Timeouts

 Inactivity Timeout
 Absolute Timeout
ciscoasa(config)#
timeout uauth hh:mm:ss [absolute | inactivity]
 Sets the time interval before users will be required to reauthenticate
– Inactivity: Time interval for inactive sessions (no traffic)
– Absolute: Time interval starts at user login

asa1(config)# timeout uauth 0:30:00 inactivity


asa1(config)# timeout uauth 3:00:00 absolute

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-22


Cut-Through Proxy
Authentication Configuration

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-23


Cut-Through Proxy Operation
Types of cut-through proxy user authentication:
 Telnet  HTTP
Web
 FTP  HTTPS Server 5 The local username and
password are passed to the
The user makes a request web server to authenticate.
to access the web server.
5
1
3
Internet Cisco
4
Secure
2
The user is prompted by the ACS
security appliance.
3 The security appliance
queries Cisco Secure ACS
for the remote username
Bill Smith
and password.
cisco123
4 If Cisco Secure ACS
authenticates, the user is “cut
through” the security
appliance.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-24


Cut-Through Proxy User Authentication:
Configuration Steps

asa1(config)# aaa-server server-tag protocol server-


protocol
 Specifes a AAA server group

asa1(config)# aaa-server server-tag [(interface-name)]


host {server-ip | name} [key] [timeout seconds]
 Designates an authentication server

asa1(config)# aaa authentication match acl-name


interface-name {server-tag | LOCAL}
 Enables cut-through proxy user authentication

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-25


Enable authentication match
Web FTP
Server Server

Internet NY_ACS
192.168.2.10 (Web) TACACS+ Server
192.168.2.11 (FTP) 10.0.0.2
Authentication
ciscoasa(config)#
aaa authentication match acl-name interface-name {server-tag | LOCAL}
 Identifies a traffic flow with an access-list command
 Requires authentication of traffic matching access-list command statement

asa1(config)# access-list 110 permit tcp any host 192.168.2.11 eq ftp


asa1(config)# access-list 110 permit tcp any host 192.168.2.10 eq www
asa1(config)# aaa authentication match 110 outside NY_ACS

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-26


aaa authentication match Example

Outbound
Internet TACACS+ authout
10.0.0.3
Inbound
RADIUS authin
10.0.0.2

asa1(config)# aaa-server AUTHIN protocol radius


asa1(config)# aaa-server AUTHIN (inside) host 10.0.0.2
asa1(config-aaa-server)# key cisco123
asa1(config)# aaa-server AUTHOUT protocol tacacs+
asa1(config)# aaa-server AUTHOUT (inside) host 10.0.0.3
asa1(config-aaa-server)# key cisco456
asa1(config)# access-list 110 permit tcp any any eq telnet
asa1(config)# access-list 110 permit tcp any any eq ftp
asa1(config)# access-list 110 permit tcp any any eq www
asa1(config)# aaa authentication match 110 outside AUTHIN
asa1(config)# aaa authentication match 110 inside AUTHOUT

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-27


Show Authentication

aaauser
192.168.2.10

Internet TACACS+ 10.0.1.10


Outside

asa1(config)# show uauth


Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 1
user ‘aaauser' at 192.168.2.10, authenticated
absolute timeout: 0:05:00
inactivity timeout: 0:00:00

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-28


show aaa-server Command:
TACACS+ Server

192.168.2.10

Internet NY_ACS
TACACS+
Server
Outside 10.0.1.10

asa1# show aaa-server NY_ACS


Server Group: NY_ACS
Server Protocol: tacacs+
Server Address: 10.0.1.10
Server port: 49
Server status: ACTIVE, Last transaction at 16:17:23 UTC Mon Nov 29 2005
Number of pending requests 0
Average round trip time 3ms
Number of authentication requests 2
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 2
Number of rejects 0
Number of challenges 2

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-29


Authenticating When Telnet, FTP, HTTP, and
HTTPS Through-Traffic Is Not Permitted

Internet
Cisco Secure
ACS
ASA Virtual Authentication
10.0.0.2

Session with Server Server


10.0.0.33

 Use virtual Telnet to authenticate to the security appliance


before accessing other services.
 Authenticate with the security appliance directly using HTTP or
HTTPS.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-30


Virtual Telnet
192.168.9.10
192.168.1.0
Internet
.3 Cisco Secure
Virtual .9 Authentication ACS
C:\> telnet 192.168.0.9 10.0.1.2
LOGIN Authentication Telnet
Username: aaauser
Password: aaapass File Server
Authentication Successful 10.0.1.33

ciscoasa (config)#

virtual telnet ip_address


 Enables access to the security appliance virtual server (The IP address must be an unused address
that can be routed to the security appliance.)

asa1(config)# access-list 120 permit tcp host 192.168.9.10 host


192.168.0.9
asa1(config)# access-group 120 in interface outside
asa1(config)# aaa-server AUTHIN protocol radius
asa1(config)# aaa-server AUTHIN (inside) host 10.0.1.2
asa1(config-aaa-server)# key cisco123
asa1(config)# aaa authentication match 120 outside AUTHIN
asa1(config)# virtual telnet 192.168.0.9
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-31
Tunnel Access Authentication
Configuration

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-32


Tunnel User Authentication
Web
Server

Remote Client

Local, Authentication
RADIUS, Server
TACACS+,
SDI,
Windows NT,
or Kerberos

Types of tunnel user authentication:


 IPsec VPN
 SSL VPN
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-33
VPN Tunnel Group Policy
Engineering
Push Policy
to Client Marketing
Policy
Training 10.0.0.0 /24
Policy
Engineering
Eng

Internet

Mktg
Training
10.0.1.0/24

 VPN authentication can be defined by tunnel group.


 Different tunnel groups can authenticate to different
Marketing authentication servers.
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-34
Authorization Configuration

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-35


Security Appliance User Authorization

192.168.9.13 FTP
Server
192.168.0.0 10.0.0.33
192.168.9.11 Internet FTP
.3 Cisco Secure
FTP ACS
Authorization 10.0.0.2

Two supported methods:


 Classic user authorization, where a TACACS+ AAA server is
configured with rules and consulted for every connection on
demand
 Download of a per-user ACL from a RADIUS AAA server during
authentication

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-36


Downloadable ACL Authorization
Web FTP
Server Server
192.168.1.10
Internet
Authentication Cisco Secure
192.168.2.10 (Web)
192.168.2.11 (FTP) ACS
Download 10.0.0.2
ACL

Downloadable ACLs:
 Authentication request to AAA server
 Authentication response containing ACL
 ACL download of a per-user or per-group ACL authorization

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-37


Downloadable ACLs
1. The HTTP request to global
IP address 192.168.1.10 is
intercepted by the security 1
appliance.
2. An authentication request is Internet
sent to the AAA server.
3. The authentication response 192.168.1.10
contains the ACL name from
the AAA server. 2
Security 4 3
4. The security appliance checks Appliance 5
to see if the user ACL is 6
already present. AAA Server
5. A request is sent from the 172.16.1.4
security appliance to the AAA
server for the user ACL. 7
6. The ACL is sent to the
security appliance.
7. The HTTP request is
forwarded to the web server.
Web Server
10.0.1.11

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-38


Configuring Downloadable ACLs in
Cisco Secure ACS

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-39


Assigning the ACL to the User or Group

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-40


Show Downloaded ACLs
Web FTP
Server Server
192.168.1.10
Internet
Authentication Cisco Secure
192.168.2.10 (Web)
192.168.2.11 (FTP) ACS
Download 10.0.0.2
RADIUSAUTH ACL

asa1# show access-list


. . .

access-list #ACSACL#-IP-RADIUSAUTH-3ddb8ab6; 3 elements


access-list #ACSACL#-IP-RADIUSAUTH-3ddb8ab6 line 1 extended
permit tcp any host 192.168.2.10 eq www (hitcnt=5) 0x5fbc7326
access-list #ACSACL#-IP-RADIUSAUTH-3ddb8ab6 line 2 extended
permit tcp any host 192.168.2.11 eq ftp (hitcnt=0) 0xb9faf575
access-list #ACSACL#-IP-RADIUSAUTH-3ddb8ab6 line 3 extended deny
ip any any (hitcnt=0) 0xb8b9b4e1

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-41


Show Authentication
Web FTP
Server Server
192.168.1.10
Internet
Authentication Cisco Secure
192.168.2.10 (Web)
ACS
Download 10.0.0.2
RADIUSAUTH ACL

asa1# show uauth


Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 1
user 'aaauser' at 192.168.1.10, authenticated
access-list #ACSACL#-IP-RADIUSAUTH-3ddb8ab6 (*)
absolute timeout: 0:05:00
inactivity timeout: 0:00:00

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-42


show aaa-server Command: RADIUS
asa1# show aaa-server
Server Group: MYRADIUS
Server Protocol: radius
Server Address: 10.0.0.2
Server port: 1645(authentication), 1646(accounting)
Server status: ACTIVE, Last transaction at 14:33:13 utc Thu
Aug 24 2006
Number of pending requests 0
Average round trip time 30ms
Number of authentication requests 1
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 1
Number of rejects 0
Number of challenges 1
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-43


Per-User Override
Web FTP
Server Server
192.168.1.10
Internet
Authentication Cisco Secure
192.168.2.10 (WWW)
ACS
Download 10.0.0.2
ACL
When per-user override is present, the security appliance allows the permit
or deny ACE from the downloaded per-user access list to override the permit
or deny ACE from the access-group command.

Existing ACL:
Permit tcp any any eq www (hitcnt=0)
Downloaded per-user ACL:
Deny tcp any host 192.168.2.10 eq www (hitcnt=1)

asa1# show run access-group


access-group ACLOUT in interface outside per-user-override

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-44


Example: Per-User Override
FTP
Web Server
aaauser Server
192.168.1.10
Authentication
Internet
192.168.2.10
(Web) Download per-user ACL
#ACSACL#-IP-NO_WWW
asa1# show uauth
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 1
user 'aaauser' at 192.168.1.10, authenticated
access-list #ACSACL#-IP-NO_WWW-41aef3fc (*)
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
asa1# show access-list
……………
access-list ACLOUT line 3 extended permit tcp any host 192.168.2.10 eq
www (hitcnt=2)
……………
access-list AAA-WWW line 1 extended permit tcp any host 192.168.2.10 eq
www (hitcnt=4)
…………
access-list #ACSACL#-IP-NO_WWW-41aef3fc line 2 extended deny tcp any host
192.168.2.10 eq www (hitcnt=1)

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-45


Accounting Configuration

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-46


Accounting Overview
Web
Cisco
Server
Secure ACS

Internet

 Authentication
– Who you are
 Authorization
– What you can do
 Accounting
– What you did

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-47


Enable accounting match
Traffic Flow Web
 FTP Server
 HTTP

Internet
Accounting NY_ACS
10.0.0.2
ciscoasa(config)#
aaa accounting match acl-name interface-name server-tag
 Identifies a traffic flow with an access-list command
 Enables accounting of traffic that matches access-list command statement

asa1(config)# access-list 110 permit tcp any host


192.168.2.10 eq ftp
asa1(config)# access-list 110 permit tcp any host
192.168.2.10 eq www
asa1(config)# aaa accounting match 110 outside NY_ACS

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-48


How to View Accounting Information in
Cisco Secure ACS

Stop (37A3C2)

Start (37A3C2)

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-49


Administrative Accounting
STUDENT1

Telnet
Internet
Administrative
Accounting
ciscoasa (config)#
aaa accounting {serial| telnet | ssh | enable} console
server-tag
 Enables or disables the generation of accounting records to mark the establishment and
termination of administrative sessions
 Valid server group protocols are RADIUS and TACACS+

asa1(config)# username STUDENT1 password cisco123


asa1(config)# aaa authentication telnet console LOCAL
asa1(config)# aaa accounting telnet console NY_ACS

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-50


Viewing RADIUS Administrative Access
Accounting Information in Cisco Secure ACS

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-51


Command Accounting
STUDENT1

Telnet

Internet
Command
Accounting

ciscoasa (config)#
aaa accounting command [privilege level] server-tag
 Enables or disables the generation of command accounting records for administrative
sessions
 Valid server group protocol is TACACS+

asa1(config)# aaa accounting command privilege 6 MYTACACS

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-52


Viewing TACACS+ Administrative
Command Accounting Information

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-53


Summary

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-54


Summary

 Authentication is who you are, authorization is what you can do,


and accounting is what you did.
 Three types of authentication are available.
– Access to the security appliance via Telnet, SSH, serial,
enable, or HTTP options
– Access through the security appliance via cut-through proxy
– Access through an IPsec or SSL VPN tunnel
 Although you can configure the security appliance to require
authentication for network access to any protocol or service,
users can authenticate directly with HTTP, HTTPS, Telnet, or FTP
only.
A user must first authenticate with one of these services before
the security appliance allows other traffic requiring authentication.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-55


Summary (Cont.)

 If you do not want to allow HTTP, HTTPS, Telnet, or FTP through


the security appliance but want to authenticate other types of
traffic, you can have users:
– Authenticate with the security appliance directly using HTTP
– Use virtual Telnet
 Downloadable ACLs enable you to enter an ACL once, in Cisco
Secure ACS, then download that ACL to any number of security
appliances during user authentication.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-56


Lab Visual Objective
Web
FTP
.50
172.26.26.0
.150
Pods 1–5 .1 .1 Pods 6–10

192.168.P.0 RBB 192.168.Q.0


.2
.2
Bastion Host: Bastion Host:
.2 .1 .1 .2
Web ASA ASA Web
FTP 172.16.P.0 172.16.Q.0 FTP
.1 .1

10.0.P.0 10.0.Q.0
.10 .100 .100 .10
Web RTS RTS Web
FTP FTP

Web, FTP, Web, FTP,


and Cisco and Cisco Local: 10.0.Q.11
Local: 10.0.P.11
Secure ACS Secure ACS

Student PC Student PC

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-57


© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—7-58