Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
550
Views
0
Helpful
3
Replies

5525 Authenticated User Access

jonhill
Level 1
Level 1

‎11-01-2012 03:29 AM - edited ‎03-11-2019 05:17 PM

We've just replaced our Fortinet Firewalls with 5525's but are struggling to get a feature working that worked great on the Fortinet firewall.

All our users use a proxy for internet access that's configured in IE but from time to time some users need to remove this proxy and go directly out to the internet, with the Fortinet devices we created a rule right at the bottom of the inside access out rule that had it authenticate users via TACACS which worked a treat and could be used from PC or laptop.

We want to do a similar thing on the 5525 and I thought the Authenticated user would give me this access but I don't seem to be able to get it to work. I've got the AD side of it working fine the ASA can pull user and groups from AD but I'm struggling to get this working for a user.

I've created a rule at the bottom of the inside access in ACL that has any source and any destination but has my AD user as a user in the rule but when I try and test it it doesn't work and when I have a look in monitoring it says no IP address associated with user.

I want to be able to pick and choose which users have this access.

How can I get this working the way I want it to?

Thanks

Jon

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎11-01-2012 11:52 AM

Hello Jonh,

Are you trying to authenticate users to allow them to go to the internet??? If this is the case cut-trough proxy is what you are looking for!!

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml

Let me know if I understood your query,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

jonhill
Level 1
Level 1
In response to Julio Carvajal

‎11-02-2012 12:50 AM

Julio

Thanks for the reply, I am trying to authenticate users to allow them to go to the internet but I don't want to have authentication for all users as the majority of them use a proxy for access and that how we want it. The authentication is for a few users who need access directly out of the firewall bypassing the proxy.

I've tried the cut-through proxy but that authenticated all users including the ones using the proxy, how can I restrict this to just authenticating a group of users based on either an AD username or  AD group?

Thanks

Jon

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to jonhill

‎11-02-2012 10:45 AM

Hello Jonhil,

Read the following, It will answer your questions:

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/access_idfw.html#wp1324095

Go to the section:

Configuring Cut-through Proxy Authentication

Remember to rate all of the helpful posts ( If you do not know how to rate a post just let me know)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card