I get the users to authenticate when using FTP through the FWSM (multiple context mode) but I have a few questions that I can't seem to find the exact answers to in the documentation (I presume I'm just missing something when reading it).
At the moment we have the users match the ACL, login using a local account and then they are allowed to login to the end FTP server, all pretty standard stuff. This works fine for the users but some of the FTP connections are scripted and set as timed jobs on servers. These scripted FTP connections have no idea which username prompt (FWSM or FTP server) is being presented which becomes an issue when connections are made and closed in rapid succession as it appears that the firewall keeps the authenticated session open and allows a new connection straight through.
The config I have is as follows (BTW - we use CSM).
access-list CSM_AAA_AUTHE_INSIDE_LOCAL remark Authenticate outbound FTP access
access-list CSM_AAA_AUTHE_INSIDE_LOCAL extended permit tcp any any eq ftp
timeout uauth 0:00:00 absolute uauth 0:05:00 inactivity
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
aaa authentication match CSM_AAA_AUTHE_INSIDE_LOCAL INSIDE LOCAL
username *********** password **************** encrypted privilege 0
Is there a way to get the scripted FTP sessions to require authentication to the firewall every time they are run, regardless of how often or how frequently they are run? We have some scripted FTP that transfer several MB every few minutes and others that may transfer GB every few hours or each day. Unless the firewall prompt is displayed every time the scripts fail.
If all the connection is that random, the answer is no.
The idea of uauth is to get user to just authenticate once, and get access after the authentication. If normal user gets prompted for authentication all the time, that will just annoy them.
So unfortunately, in your ftp script scenario, there is nothing to force the authentication everytime the ftp connection is triggered especially when the server is still sending other traffic through the firewall at the same time.