Authentication proxy is a feature on the ASA platforms that allows a network administrator to force users to authenticate to the ASA before users are allowed access through the device. The ASA can authenticate these users using Radius, TACACS or local user databases.
Authentication proxy is used to control access through the ASA in a more granular and user based fashion.
Authentication Proxy Configuration
The following configuration lines will set up authentication proxy for HTTP connections:
Using the above command, the authentication page will now look like:
Authentication Proxy Troubleshooting Commands
To check the current uauth database, use the show uauth command.
hostname# show uauth Current Most Seen Authenticated Users 1 1 Authen In Progress 0 2 user 'cisco' at 10.1.1.2, authenticated absolute timeout: 0:05:00 inactivity timeout: 0:00:00
Additionally, the command test aaa authentication will test a user against the AAA server.
hostname# test aaa-server authentication RADIUS username cisco password cisco Server IP Address or name: 10.1.1.1 INFO: Attempting Authentication test to IP address <10.1.1.1> (timeout: 12 seconds) ERROR: Authentication Rejected: AAA failure
Integration with ACS
The ASA and Radius can work together using downloadable ACLs and authentication proxy to create per-user customizable access profiles. On the ASA, the following configuration is required:
where the ASA will prompt the user for authentication. Once the user enters the authentication username and password, the ASA will forward this information to the Radius server. The Radius server is configured to return a downloadable ACL via the class 26 vendor specific attribute. The ASA will download this ACL and install it into its database specific to this user.
The outputs from a successful authentication are included below:
hostname(config)# show uauth Current Most Seen Authenticated Users 1 1 Authen In Progress 0 2 user 'cisco' at 10.1.1.2, authenticated access-list #ACSACL#-IP-cisco-4d30a35b (*) absolute timeout: 0:05:00 inactivity timeout: 0:00:00
The associate ACL lines are included below:
access-list #ACSACL#-IP-cisco-4d30a35b; 3 elements; name hash: 0x34134156 (dynamic) access-list #ACSACL#-IP-cisco-4d30a35b line 1 extended permit tcp any any eq www (hitcnt=1) 0x3f7a6230 access-list #ACSACL#-IP-cisco-4d30a35b line 2 extended permit tcp any any eq netbios-ssn (hitcnt=0) 0xbdefa208 access-list #ACSACL#-IP-cisco-4d30a35b line 3 extended permit icmp any any (hitcnt=0) 0x25be1e4f
In the above example, the users cannot get out to the internet before authenticating via authentication proxy. After authenticating, the user is able to access all network resources using HTTP, Netbios and ICMP.
The above example can be used when trying to mitigate the spread of a worm that uses TCP port 139 as its communication medium. As a result, the network policy dictates that all computers must manually authenticate before they can obtain network access.
Hi Team,We have 2 ISP with our Firepower and we are looking into redundancy for our AnyConnect VPN and we found the Backup Server.Our request:We just want AnyConnect to automatically reconnect to the Backup Server in the list when a remote anyconnect user...
Hello, For whatever reason ISE 2.3 3495 is extremely slow when accessing context visibility. All other page works fine. Except for when we filtered a identity group endpoint. We tried chrome and firefox. We also downloaded the ...
When our AnyConnect clients connect remotely, they get a 172.a.b.c address from our ASA and register this address with our DNS server, so everything is good... until they get back into the office.... when the client later boots up onto the corporate LAN, ...
We are trying to get our ISE 2.6 to take radius accounting packets (from Aruba Clearpass) and convert them into Identities to then pass off to our FMC and FTD. We are seeing the endpoints show up in ISE and we see all the correct information however ...