Virtual HTTP and AD integration for single sign on

aacole · ‎01-21-2011

Is it possible to provide a single sign on service for virtual HTTP on an FWSM, where I have ACS 4.2 and win2k8 domain?

The application is to allow a client full access to the secure network (inside) behind the FWSM where the client is on a wireless network on the outside (untrusted) side of the FWSM. The wireless network is not a public network, but is not considered a trusted network. And the client wants access to all applications on different subnets on the inside, which means a big hole in the FWSM.

My first recommendation is for a VPN, but no money for VPV termination device is available.

So, next thought was to provide Virtual HTTP to authenticate user, then they can get access from outside to inside on FWSM.

Once on the network they would need to loging to their domain, which would be a second login process, is it possible to do both authentication steps in one go? Ideally I'd like the user to be able to use their AD credentails to allow authentication for both Virtual HTTP and AD login in one go.

I dont know enough about the ACS/AD integration to answer this question, but so far I think its not possible. Or could I do this another way?

Marcin Latosiewicz · ‎01-21-2011

Well I can tell that FWSM will not hand over info to AD, so I guess it means there will be no real SSO.

Regarding cut through proxy, you can do it on HTTP,HTTPS,FTP or telnet.

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/fwaaa_f.html

on ASA you have LDAP support which can fish out user from AD, but it does not seem to be the case for FWSM:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/aaa_f.html#wp1059666

So bottom line is that you can authenticate users when crossing over FWSM, but with a lot of restrictions.

I believe basically you can radius or tacacs+.

Hope this helps,

Marcin