Configuring per user access w/ cisco ASA

Please note the below requires ASA v 8. or above. Per user access involves forcing users to login to the firewall before being allowed access to any resources. This has several benefits, including:

  1. Better user accountability
  2. Being able to define access on a user basis, rather than an IP basis (with some caveats)
  3. Implementing a very basic “captive portal” for both wired and wireless network

Using cisco’s asa ASDM, here’s a procedure to enable per user access:

1. Add users and passwords. In this case, local users will be configured, so this is done via:

Configuration > Device Management > Users/AAA > User Accounts

2. Add AAA rules from “Configuration > Firewall > AAA Rules”
a. do not authenticate domain (dns) traffic. This will allow clients to perform DNS lookups. Then, when attempting to connect to a web page, the cisco ASA should redirect them to an authentication site in order to input username and password. ASA only authenticates certain types of interactive traffic, such as HTTP, hence DNS should be allowed in order for clients to make that initial HTTP request
b. authenticate IP traffic from source of interest

asa_aaa1

3. Add website login for each interface for example http://192.168.12.100:8081/netaccess/loginuser.html via cli:

aaa authentication listener http interface_name port 8081 redirect

4. Add interface access rules:
a. Leave any to any “permit” rule at the bottom (needed for initial authorization). Without this permit rule the traffic will be blocked by the interface ACL and will never be “passed on” to the AAA module for authentication. Since any traffic (apart from DNS in our example) must be authenticated, users will still need to provide credentials even with the permit rule in place. Once authenticated, the ASA will know the identity of the user
b. Add user based rules before this permit any rule as shown in the below screenshot.


Notes

In order to exempt mac addresses:

aaa mac-exempt

  • clear saved session / force reauthentication:

clear uauth [username]