04-18-2011 07:22 AM
I have a ssl gateway setup with multiple profiles.
I make use of ACS to “group lock” the users in their own profile.
I am trying to setup a way of ACS to provide the proxy settings, I thought [033] Proxy-State
Would do this for me, but either I have it setup wrongly, or I am going about this the wrong why.
Can anyone guide me with this one?
04-19-2011 02:47 PM
Martin,
If you want to provide IE proxy settings to your users you may have this possibility via "IE-Proxy-...." attributes.
Here's complete list of supported attributes:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_extserver.html#wp1605508
Marcin
04-20-2011 02:24 AM
Thanks Marcin - it looks like that might just do the job.
I have enabled [026/3076/080] IE-Proxy-Server with my proxyserver IP :port on the group of the users I wish to allocate this.
However, does not seem to work.
Now is there something I need to configure on the ASA as well?
Like when I am enforcing the group lock or enforcing acls per user that some of the configuration is on the ASA?
I tried to look for info on this, sadly have not found anything yet.
04-20-2011 02:31 AM
Martin,
"debug aaa common 100" will show you if ASA understands those settings.
I understand that you're using Anyconnect? Otherwise there is no way to enforce proxy settings on thin clients.
Marcin
05-04-2011 04:16 AM
Hi Marcin,
From my syslog (syslog-ng) I can see the user connecting the handshake. However I never see the IP address of the proxy server nor the setting "IE-Proxy-Server" in the syslog messages. Yes I am using the Anyconnect client.
Anything else I could try?
Regards,
Martin
05-04-2011 05:20 AM
Martin,
Do you see those settings sent from ACS down to ASA?
Check "debug aaa common 100" when connecting, "debug radius all" could be interesting too.
Marcin
05-04-2011 05:28 AM
Marcin, I only see the user / group lock settings from taking place. (Even downloable ACL's)
Nothing from the "[3076\080] IE-Proxy-Server" or it's IP address / port number.
I know with the group lock / downloadable ACL's some configuration had to be done on the ASA.
Is this the case with the IE-Proxy-Server as well? Or should the setting with in ACS be enough?
05-06-2011 09:35 AM
Martin,
Too meny veriables, would you be willing to open a SR for this? AFAIK it should work, from ASA's perspetive it's a supported attribute.
Marcin
05-30-2011 01:52 AM
Just some feedback from myside.
this is what I have done on the ASA
group-policy
dns-server value
msie-proxy server value
And now the Proxy settings gets forced.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide