• 基于每个用户组进行访问控制

  • 基于每用户的MPF配置功能从8.4.2后才支持

模拟实验

  • inside 开启HTTP,创建本地认证帐号和密码cisco,用于登陆HTTP测试

  • ASA放行Inbound HTTP流量

  • 配置穿越用户认证

  • 属于Guest组的用户,无法通过HTTP执行config_terminal,进入全局工作模式

  • 属于Normal组的用户,无法通过HTTP执行username来新建用户,无法no掉任何命令

  • 属于Engineer组的用户,开发所有权限并记录日志

  1. ip http server
  2. ip http authentication local
  3. username cisco privilege 15 password cisco
  1. access-list out permit tcp any host 7.7.1.1 eq 80
  2. access-group out in in outside
  1. username guest password cisco
  2. username normal password cisco
  3. username engineer password cisco
  5. aaa authentication match out outside LOCAL
  7. object-group user Guest
  8.     user LOCAL\guest
  9. object-group user normal 
  10.     user LOCAL\normal 
  11. object-group user engineer 
  12.     user LOCAL\engineer 
  14. access-list guest extended permit tcp object-group-user Guest any any eq www
  15. access-list normal extended permit tcp object-group-user normal any any eq www
  16. access-list engineer extended permit tcp object-group-user engineer any any eq www
  18. class-map Guest-class
  19.     match access-list guest
  20. class-map normal-class
  21.     match access-list normal 
  22. class-map engineer-class
  23.     match access-list engineer
  25. regex configure configure
  26. regex username username
  27. regex no no
  29. policy-map type inspect http guest-policy
  30.     match request uri regex configure
  31.     reset log
  32. policy-map type inspect http normal-policy
  33.     match request uri regex username
  34.     reset log
  35.     match request uri regex no 
  36.     reset log 
  38. class Guest-class
  39.     inspect http guest-policy
  40. class normal-class
  41.     inspect http normal-policy
  42. class Guest-class
  43.     inspect http