Authentication proxy is a feature on the ASA platforms that allows a network administrator to force users to authenticate to the ASA before users are allowed access through the device. The ASA can authenticate these users using Radius, TACACS or local user databases.
Authentication proxy is used to control access through the ASA in a more granular and user based fashion.
Authentication Proxy Configuration
The following configuration lines will set up authentication proxy for HTTP connections:
Using the above command, the authentication page will now look like:
Authentication Proxy Troubleshooting Commands
To check the current uauth database, use the show uauth command.
hostname# show uauth Current Most Seen Authenticated Users 1 1 Authen In Progress 0 2 user 'cisco' at 10.1.1.2, authenticated absolute timeout: 0:05:00 inactivity timeout: 0:00:00
Additionally, the command test aaa authentication will test a user against the AAA server.
hostname# test aaa-server authentication RADIUS username cisco password cisco Server IP Address or name: 10.1.1.1 INFO: Attempting Authentication test to IP address <10.1.1.1> (timeout: 12 seconds) ERROR: Authentication Rejected: AAA failure
Integration with ACS
The ASA and Radius can work together using downloadable ACLs and authentication proxy to create per-user customizable access profiles. On the ASA, the following configuration is required:
where the ASA will prompt the user for authentication. Once the user enters the authentication username and password, the ASA will forward this information to the Radius server. The Radius server is configured to return a downloadable ACL via the class 26 vendor specific attribute. The ASA will download this ACL and install it into its database specific to this user.
The outputs from a successful authentication are included below:
hostname(config)# show uauth Current Most Seen Authenticated Users 1 1 Authen In Progress 0 2 user 'cisco' at 10.1.1.2, authenticated access-list #ACSACL#-IP-cisco-4d30a35b (*) absolute timeout: 0:05:00 inactivity timeout: 0:00:00
The associate ACL lines are included below:
access-list #ACSACL#-IP-cisco-4d30a35b; 3 elements; name hash: 0x34134156 (dynamic) access-list #ACSACL#-IP-cisco-4d30a35b line 1 extended permit tcp any any eq www (hitcnt=1) 0x3f7a6230 access-list #ACSACL#-IP-cisco-4d30a35b line 2 extended permit tcp any any eq netbios-ssn (hitcnt=0) 0xbdefa208 access-list #ACSACL#-IP-cisco-4d30a35b line 3 extended permit icmp any any (hitcnt=0) 0x25be1e4f
In the above example, the users cannot get out to the internet before authenticating via authentication proxy. After authenticating, the user is able to access all network resources using HTTP, Netbios and ICMP.
The above example can be used when trying to mitigate the spread of a worm that uses TCP port 139 as its communication medium. As a result, the network policy dictates that all computers must manually authenticate before they can obtain network access.
Hi, We configure our ESA's to push SYSLOG messages to the SIEM, but while trying to setup logging for successful/failed logins I have discovered that this is not possible for the Authentication Log. Does anybody know why this is (It seems perfec...
Hi guys! I have a question regarding CWA on ISE. We have a customer who want to do 2-factor authentication for internal users via CWA. 2FA works in with physical token authentication and with internal ISE users. The problem that we are facing is with...
Dear all. I configured correlation policy and started to collect logs. Moreover i configured that when correlation event happen firepower must send it via email. Actually everything worked correctly. Except one thing that related to timing. I got co...
Hi, I have this configuration in GNS3 with FTD. I can't access Internet from the Inside interface and I can't figure why. Could you please help me? : Saved:: Serial Number: 9A2HWHFXJEA: Hardware: ASAv, 8192 MB RAM, CPU Pentium II 2600 MHz, ...
Hello Team, I am failing to understand how the firewall engines works when ASA is combined with FTD. Is there like a double layer of firewall? Lets say that i want to allow HTTP traffic from my lan (192.168.1.100) towards 220.127.116.11 on the internet...