05-20-2015 08:37 AM - edited 03-10-2019 10:44 PM
Hello,
My setup is Internet-----Juniper F/W--------Cisco ASA
I have configured cut through proxy on ASA 5525X version 9.x. So, when a user tries to access a web server from internet he gets a prompt to enter his username and password. It works fine the issue that I have arises when a home user is coming from behind his router and he is using multiple devices.
For the first access user gets a prompt to enter username and password. Once he authenticates himself he lands on the web page. When another user tries to access the web site from the same location he does not get prompted to enter credentials and he can access the website immediately.
I guess that uauth is tied up with the source ip address only, is there anyway to change this behaviour??
Saurav
05-21-2015 02:32 PM
Yes, proxy authentication only uses the source address to allow the traffic once authenticated, this i believe can't be changed.
05-25-2015 11:06 PM
I guess this can't be changed. But imagine a scenario in which there are 100 people sitting behind a patting device. If on authenticates to a site via 2FA like in my case, then all rest 99 are allowed to go through....
05-27-2015 07:47 AM
Yup, but this is where you would use something like a web proxy device like an Ironport or Firepower for ASA, not an regular ASA firewall, the cut-through-proxy feature is old, and hasn't had any enhancement for many years.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide