Yes, compound condition could give us more option to differentiate the admin login and cut-through authen.

Ok, thank you, it helps me in case of TACACS+ for cut through proxy, but now I'm more oriented on RADIUS for http authentication because RADIUS is more oriented to service.

Now I need to distinguish  between remote access vpn and http authenticiation.

thanks

rs

Please attach radius packet captures, one for http auth and one for vpn remote access and I will be able to tell you how to differentiate.. The same concept of tacacs+ that I said should apply here also.. Select radius IETF from the dictionary and chose the 'service-type' attribute.. The http auth and remote access should come with different values for service-type I would think and packet captures will help to find the difference

Hi, followibg the RADIUS and vpn ipsec client capture:

following the RADIUS and anyconnect client capture:

following the RADIUS and http cut-through proxy capture:

If I repeat the capture for the same type of authentication, NAS-Port has a diffent value but near the captured.

thank you in advance

greatings

rs

Hi, do you have updates about the radius analysis ?

thanks

rs

Did you listed all radius attributes which you captured?

If yes, I don't see any other way to differentiate between cut-through and VPN besides using NAS Port.

If all your cut-through clients are from your internal network and their IP is within certain network range, you might consider of using "Calling-Station-ID 31".

Hi, I'm sorry but the firewall could receive a vpn request from inside, so Calling-Station-ID is not useful.

I think we need the NAS-Port ranges used by ASA 8.2(x).

thank you

renato

Sorry, I don't know this Nas-port range.

One more look at your last capture, it looks like Cut-through did not include "Called-Station-ID" attribute. If it is ture, you might use it.

Yes, I confirm you there is no "Called-Station-ID" in cut-through, but why is so hard to find NAS-Port ranges ?

thanks

rs