cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


306
Views
0
Helpful
3
Replies
Beginner

5525 Authenticated User Access

We've just replaced our Fortinet Firewalls with 5525's but are struggling to get a feature working that worked great on the Fortinet firewall.

All our users use a proxy for internet access that's configured in IE but from time to time some users need to remove this proxy and go directly out to the internet, with the Fortinet devices we created a rule right at the bottom of the inside access out rule that had it authenticate users via TACACS which worked a treat and could be used from PC or laptop.

We want to do a similar thing on the 5525 and I thought the Authenticated user would give me this access but I don't seem to be able to get it to work. I've got the AD side of it working fine the ASA can pull user and groups from AD but I'm struggling to get this working for a user.

I've created a rule at the bottom of the inside access in ACL that has any source and any destination but has my AD user as a user in the rule but when I try and test it it doesn't work and when I have a look in monitoring it says no IP address associated with user.

I want to be able to pick and choose which users have this access.

How can I get this working the way I want it to?

Thanks

Jon

Everyone's tags (4)
3 REPLIES 3

5525 Authenticated User Access

Hello Jonh,

Are you trying to authenticate users to allow them to go to the internet??? If this is the case cut-trough proxy is what you are looking for!!

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml

Let me know if I understood your query,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted
Beginner

5525 Authenticated User Access

Julio

Thanks for the reply, I am trying to authenticate users to allow them to go to the internet but I don't want to have authentication for all users as the majority of them use a proxy for access and that how we want it. The authentication is for a few users who need access directly out of the firewall bypassing the proxy.

I've tried the cut-through proxy but that authenticated all users including the ones using the proxy, how can I restrict this to just authenticating a group of users based on either an AD username or  AD group?

Thanks

Jon

5525 Authenticated User Access

Hello Jonhil,

Read the following, It will answer your questions:

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/access_idfw.html#wp1324095

Go to the section:

Configuring Cut-through Proxy Authentication

Remember to rate all of the helpful posts ( If you do not know how to rate a post just let me know)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC