Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA Authentication

Hi,

I Have ASA 5520 In My Network, Here From Inside Users Have To Access The Terminal Server Which Is Located In DMZ. If I Want To Access The Terminal Server From Inside Users It Has To Authenticate By AAA Local Database.

5 REPLIES

Re: AAA Authentication

Hi,

I believe you can do the following:

username user password pass

access-list ACL_AAA permit tcp INSIDE_NETWORK mask host DMZ_SERVER eq 3389

aaa authentication match ACL_AAA inside LOCAL

In this way, when the INSIDE_NETWORK requests to the RD server on the DMZ arrives to the inside interface of the ASA, there's an ACL that's going to match that traffic and also match the aaa authentication for the local database on the ASA.

On the ASA, the command ''sh uauth'' shows if the users are getting authenticated or not.

Federico.

New Member

Re: AAA Authentication

Thanks lot Federico,

I have one more request,

I have the four inside interfaces and one DMZ interface. For each inside interface users have to access the Terminal Server authenticate by AAA using different Username and Password.

thanks once again

S.Rajkumar

Re: AAA Authentication

You can try the following:

Create a local database of users:

username user1 password pass1
username user2 password pass2
username user3 password pass3
username userx password passx

Create an object-group that groups the four inside networks and apply the object-group to the ACL:

access-list ACL_AAA permit tcp object-group INSIDE_NETWORKS mask host DMZ_SERVER eq 3389

Specify the ACL on the AAA rule:


aaa authentication match ACL_AAA inside LOCAL

Federico.

New Member

Re: AAA Authentication

Thanks federico

New Member

Re: AAA Authentication

Hi,

When try to configure below comments,

Create a local database of users:

username user1 password pass1
username user2 password pass2
username user3 password pass3
username userx password passx

Create an object-group that groups the four inside networks and apply the object-group to the ACL:

access-list ACL_AAA permit tcp object-group INSIDE_NETWORKS mask host DMZ_SERVER eq 3389

Specify the ACL on the AAA rule:

aaa authentication match ACL_AAA inside LOCAL

I am facing the error which I discribed below,

ASA does not support interactive authentication for the rules that are applied to traffic other than FTP, HTTP, HTTPS, Telnet and SSH.

697
Views
0
Helpful
5
Replies