Configuring per user access w/ cisco ASA

Please note the below requires ASA v 8. or above. Per user access involves forcing users to login to the firewall before being allowed access to any resources. This has several benefits, including:

  1. Better user accountability
  2. Being able to define access on a user basis, rather than an IP basis (with some caveats)
  3. Implementing a very basic “captive portal” for both wired and wireless network

Using cisco’s asa ASDM, here’s a procedure to enable per user access:

1. Add users and passwords. In this case, local users will be configured, so this is done via:

Configuration > Device Management > Users/AAA > User Accounts

2. Add AAA rules from “Configuration > Firewall > AAA Rules”
a. do not authenticate domain (dns) traffic. This will allow clients to perform DNS lookups. Then, when attempting to connect to a web page, the cisco ASA should redirect them to an authentication site in order to input username and password. ASA only authenticates certain types of interactive traffic, such as HTTP, hence DNS should be allowed in order for clients to make that initial HTTP request
b. authenticate IP traffic from source of interest


3. Add website login for each interface for example via cli:

aaa authentication listener http interface_name port 8081 redirect

4. Add interface access rules:
a. Leave any to any “permit” rule at the bottom (needed for initial authorization). Without this permit rule the traffic will be blocked by the interface ACL and will never be “passed on” to the AAA module for authentication. Since any traffic (apart from DNS in our example) must be authenticated, users will still need to provide credentials even with the permit rule in place. Once authenticated, the ASA will know the identity of the user
b. Add user based rules before this permit any rule as shown in the below screenshot.


In order to exempt mac addresses:

aaa mac-exempt

– clear saved session / force reauthentication:

clear uauth [username]

Privacy Settings

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.