Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
889
Views
0
Helpful
1
Replies

"Client Authentication" in ASA configuration

Christian Jorge
Level 1
Level 1

‎10-23-2018 02:05 PM - edited ‎02-21-2020 08:23 AM

Good Morning

 

I have to migrate firewall Checkpoint configuration to a Cisco ASA 5585X device.

 

Checkpoint has many "accept", "drop", "encrypt" rules. But I could find some rules with action "Client Auth".

By Client Auth rules, a user in an user group, when accessing a destination, returns a kind of portal to user device asking user for authentication. When user is authenticated (by a Cisco ACS for example), user device is allowed to access destinations presented on associated Checkpoint access rule.

How can I implement this in a similar way on firewall ASA?

I really don't know if "aaa authentication, etc" could perform this.
I think I have to:
- configure user groups (or search for user groups in a TACACS/ACS server)
- have a access rule to a destination conditioning access to a kind of aaa user authentication

Thanks and best regards

Christian

0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎10-23-2018 02:59 PM

ASA has a feature called cut-through-proxy which sounds a lot like what Checkpoint calls client authentication. Two good guides on how to set this up are given here:

 

https://community.cisco.com/t5/security-documents/asa-cut-through-authentication-proxy-configuration-and-examples/ta-p/3118641

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113363-asa-cut-through-config-00.html

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card