Cut Through Proxy ACL by AD Group

peter.alliett1 · ‎09-16-2015

Is it possible to create an ACL in AAA Rules for a Active Directory Group as I can't get it to work.

What I am trying to do is prompt for authenication when a user tries to access HTTP

I've linked the ASA5505 to Active Directory with the AD-Agent sofware and can get user's
and groups fine

My 1st test which works is the following ACL which will prompt for authenication but any AD
account works

access-list LAN_authentication extended permit tcp any4 any4 eq www

I then populated the User field with the AD group which produces the following ACL but nothing
hits it

access-list LAN_authentication extended permit tcp user-group DOMAIN\\Allow-Internet any4 any4 eq http

I'm wondering if I am missing something or it's just not possible.

Rishabh Seth · ‎09-16-2015

Hi Peter,

Ensure you have aaa authentication configuration for cut trough proxy as well:

aaa authentication match <acl-name> <interface_name> <database-to-use-for-auth>

Hope it helps.

Thanks,

R.Seth

peter.alliett1 · ‎09-17-2015

Yes I have that, it works as long as user field is empty.

You can authenticate with an Active Directory user and pass and it works but I need it to work on an

Active Directory Group which then it just fails to match anything

This Works and matches all AD Accounts

access-list LAN_authentication extended permit tcp any4 any4 eq www

aaa authentication match LAN_authentication LAN AD

This does not work and matches nothing when you check access list hits

access-list LAN_authentication extended permit tcp user-group DOMAIN\\Allow-Internet any4 any4 eq http

aaa authentication match LAN_authentication LAN AD