This document was contributed by a WiKID user. This configuration file opens a port for ssh once the user has logged into an https front-end. While this example uses tacacs+, it should also work with radius.
! Step 1: configure wikid ! Step 1a: configure tacacs+ on wikid server ! Step 2: configure Cisco FWSM to use the tacacs+ service provided by wikid ! see also ! http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/fwaaa_f.html ! ! Template config for using Wikid 2 facter auth to allow ssh access ! This only covers wikid and ssh, not any other FW configs ! 'outside' is the outside FW interface, and 'dmz' in the protected interface ! I used 'names' for readability ! I use RFC1918 address in this example, but assume no NAT ! ! I have this running in production on two FWSMs with a more complicated config ! I have not tested the exact config below, If you see any errors, please let me know ! names ! the wikid server name 192.168.1.10 wikid-server ! the ssh server name 192.168.1.11 shell-server ! ! define service ports and servers object-group service ssh tcp description ssh port-object eq ssh object-group network ssh-servers description ssh servers network-object host shell-server object-group service http-only tcp description http port-object eq www object-group service https-only tcp description https port-object eq https object-group network wikid-servers description wikid servers network-object host wikid-server ! allow wikid clients to access the wikid server access-list outside-acl extended permit tcp any object-group wikid-servers object-group http-only ! allow access to https for auth access-list outside-acl extended permit tcp any object-group ssh-servers object-group https-only ! allow ssh, but also needs AAA below access-list outside-acl extended permit tcp any object-group ssh-servers object-group ssh access-group outside-acl in interface outside ! 5 minute timeout to cache wikid response ! once you auth via https://shell-server you have 5 minutes to log into the ssh server ! after that you need a new token timeout uauth 0:05:00 absolute ! aaa-server 2factor protocol tacacs+ aaa-server 2factor (dmz) host wikid-server ! key must match wikid server key key SuperSecret ! allow ssh only after auth with https://shell-server aaa authentication include ssh outside shell-server 255.255.255.255 0.0.0.0 0.0.0.0 2factor ! you should NOT be running a webserver with ssl support on the shell-server ! the FWSM generates a ssl cert for it's part in the auth process that ! will conflict with the one on the shell server aaa authentication include https outside shell-server 255.255.255.255 0.0.0.0 0.0.0.0 2factor ! optional as it allows the wikid token to pass in cleartext ! also needs a matching acl above (left as an exercise to the reader) ! aaa authentication include ftp outside shell-server 255.255.255.255 0.0.0.0 0.0.0.0 2factor ! aaa authentication include http outside shell-server 255.255.255.255 0.0.0.0 0.0.0.0 2factor ! as an example of how to allow some hosts to bypass the token auth ! aaa authentication exclude ssh outside shell-server 255.255.255.255 my.home.ip 255.255.255.255 2factor ! ! For the Cisco ASA I think you will need this also ! aaa authentication listener http outside port 1080 redirect ! aaa authentication listener https outside port 1443 redirect