topic Re: Authentication for outbound Internet Traffic in Network Access Control

Authentication for outbound Internet Traffic

rmanapat — Mon, 11 Mar 2019 00:16:39 GMT

Hi, I have a site where everybody on the inside interface has to be authenticated by a RADIUS Server. I have that part working but the problem is I've got a lot of AAA entries for exclude. What I want to accomplish (if possible) is to use access-list and object-group so that if I have a new host I need to exclude, I can just add that into my object-group statement instead of adding another aaa exclude line. Please look at my configuration below and any suggestion would be appreciated.

aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 192.168.234.100 ********** timeout 5
max-failed-attempts 3

aaa authentication include tcp/0 inside 192.168.234.0 255.255.255.0 0 0 AuthInbound
aaa authentication include udp/0 inside 192.168.234.0 255.255.255.0 0 0 AuthInbound

aaa authentication exclude http inside 192.168.234.0 255.255.255.0 4.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 4.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 208.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 208.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude tcp/6260 inside 192.168.234.0 255.255.255.0 4.xxx.xxx.165 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 4.2.2.1 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 4.2.2.2 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 4.2.2.3 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 8.8.4.4 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 8.8.8.8 255.255.255.255 AuthInbound
aaa authentication exclude ftp inside 192.168.234.0 255.255.255.0 69.xxx.xxx.179 255.255.255.255 AuthInbound
aaa authentication exclude ftp inside 192.168.234.0 255.255.255.0 63.xxx.xxx.113 255.255.255.255 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 96.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 72.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 64.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 64.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude tcp/12975 inside 192.168.234.0 255.255.255.0 74.xxx.xxx.0 255.255.255.0 AuthInbound
aaa authentication exclude tcp/32976 inside 192.168.234.0 255.255.255.0 74.xxx.xxx.0 255.255.255.0 AuthInbound
and more ...

Thank you,

Russell

Re: Authentication for outbound Internet Traffic

Panos Kampanakis — Thu, 22 Jul 2010 22:42:59 GMT

Russel,

Look at command "aaa authentication match" on the ASA. You can use an ACL for traffic that will be matched for cut-through proxy.

I hope it helps.

Re: Authentication for outbound Internet Traffic

Ganesh Hariharan — Mon, 26 Jul 2010 07:40:16 GMT

aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 192.168.234.100 ********** timeout 5
max-failed-attempts 3

aaa authentication include tcp/0 inside 192.168.234.0 255.255.255.0 0 0 AuthInbound
aaa authentication include udp/0 inside 192.168.234.0 255.255.255.0 0 0 AuthInbound

Thank you,

Russell

Hi Russell,

Check out the below link for outbound authentication using auth proxy.

http://www.ciscosystems.com.pe/application/pdf/paws/13886/auth3.pdf

Hope to Help !!

Ganesh.H

Remember to rate the helpful post