Authentication of Services
The Cisco Security Appliance is designed to authenticate users via FTP, HTTP, HTTPS, and
Telnet. Many other services that pass through the Security Appliance require authentication.
To fulfill this requirement, the Security Appliance supports virtual services. The Security
Appliance can perform functions for servers that do not exist and configures the Security
Appliance to authenticate users who want to connect to services other than FTP, HTTP,
HTTPS, and Telnet. After a user has been authenticated, that user can access whatever
authorized services they are requesting.
If your company uses Microsoft NetMeeting to communicate among its many different
branch offices, NetMeeting runs on the H.323 protocol, which uses a number of different
ports. To allow this access, users must authenticate via FTP, HTTP, or Telnet. If you do not
have a server available to accept the FTP, HTTP, or Telnet connections, you can configure the
Security Appliance to accept the connections via a virtual service.
Virtual Telnet
Virtual Telnet enables the user to authenticate using Telnet and use a service that does not
support authentication. The Security Appliance accepts the user’s connection and challenges
the user for a username and password. The username and password are verified by the
TACACS+ or RADIUS server. If the user successfully authenticates, the connection to the
user’s requested service is completed. An additional server is not required to accept the
connection, because the Security Appliance creates a virtual server to handle the authentication
requests. Virtual Telnet sessions can be inbound or outbound on the Security Appliance.
To configure virtual Telnet on the Security Appliance, you must first create the virtual server
on a segment that can be reached via the Security Appliance. Normally, this is an address on
the firewall’s outside interface. In Figure 18-4, the virtual IP address is 192.168.1.4. This
public IP address can be accessed from both inside networks and public networks (such as
the Internet). The syntax of the virtual telnet command is as follows:
virtual telnet ip-address