Authentication proxy is a feature on the ASA platforms that allows a network administrator to force users to authenticate to the ASA before users are allowed access through the device. The ASA can authenticate these users using Radius, TACACS or local user databases.
Authentication proxy is used to control access through the ASA in a more granular and user based fashion.
Authentication Proxy Configuration
The following configuration lines will set up authentication proxy for HTTP connections:
Using the above command, the authentication page will now look like:
Authentication Proxy Troubleshooting Commands
To check the current uauth database, use the show uauth command.
hostname# show uauth Current Most Seen Authenticated Users 1 1 Authen In Progress 0 2 user 'cisco' at 10.1.1.2, authenticated absolute timeout: 0:05:00 inactivity timeout: 0:00:00
Additionally, the command test aaa authentication will test a user against the AAA server.
hostname# test aaa-server authentication RADIUS username cisco password cisco Server IP Address or name: 10.1.1.1 INFO: Attempting Authentication test to IP address <10.1.1.1> (timeout: 12 seconds) ERROR: Authentication Rejected: AAA failure
Integration with ACS
The ASA and Radius can work together using downloadable ACLs and authentication proxy to create per-user customizable access profiles. On the ASA, the following configuration is required:
where the ASA will prompt the user for authentication. Once the user enters the authentication username and password, the ASA will forward this information to the Radius server. The Radius server is configured to return a downloadable ACL via the class 26 vendor specific attribute. The ASA will download this ACL and install it into its database specific to this user.
The outputs from a successful authentication are included below:
hostname(config)# show uauth Current Most Seen Authenticated Users 1 1 Authen In Progress 0 2 user 'cisco' at 10.1.1.2, authenticated access-list #ACSACL#-IP-cisco-4d30a35b (*) absolute timeout: 0:05:00 inactivity timeout: 0:00:00
The associate ACL lines are included below:
access-list #ACSACL#-IP-cisco-4d30a35b; 3 elements; name hash: 0x34134156 (dynamic) access-list #ACSACL#-IP-cisco-4d30a35b line 1 extended permit tcp any any eq www (hitcnt=1) 0x3f7a6230 access-list #ACSACL#-IP-cisco-4d30a35b line 2 extended permit tcp any any eq netbios-ssn (hitcnt=0) 0xbdefa208 access-list #ACSACL#-IP-cisco-4d30a35b line 3 extended permit icmp any any (hitcnt=0) 0x25be1e4f
In the above example, the users cannot get out to the internet before authenticating via authentication proxy. After authenticating, the user is able to access all network resources using HTTP, Netbios and ICMP.
The above example can be used when trying to mitigate the spread of a worm that uses TCP port 139 as its communication medium. As a result, the network policy dictates that all computers must manually authenticate before they can obtain network access.
Hello Guys, Today we just experienced an ambiguous behavior. We've a Cisco IPS 7120 sensor from the old days just after rebooting, it freezed that is, all interfaces are up, ping is working fine from the sensor to FMC and vice versa but c...
i work on différents ways of how to implement remote access vpn1-for anyconnect ssl, i don't very understand in "deep" this NAT exempt on ASA for vpn traffic.of course, for internal network, it need NAT dynamic or PAT usually to access internet, but...
ASA9.1(5)ASDM 771I used vpn wizards to configure ssl vpn client ( AnyConnect)1- when i try to transfer operations on the asa device, i see this "big list" of commands called AnyConnect_Client_Local_Print ACL !!I couldn't not cancel it and i don't und...
Hi All, Would like some configuration guide on the attached setup for the cisco asa anyconnect behind another firewall. The perimeter firewall will have public IP address natted to the cisco asa interface (using private ip address). However, in this ...
Hello All, I am facing issue in Cisco ISE for Wired Users and would like to get your help. Below are the details 1. We are using ISE version 2.7. 2. Two different series of Cisco Switches 2960x and 9200 3. No issue faced by users who a...