ASA auth-proxy timeout

Similar Messages

• Newbie with auth-proxy

  Hi,
  I need to allow and deny some user to go to the Internet, but I want to allow/deny only for http traffic.
  For exemple I dont want any user to have to authenticate if they want to use ftp.
  Is it possible with the auth-proxy? if yes any configuration exemple?
  In the exemple I saw, the user had to authenticate to then allow his computer to send any packet to the Internet.
  Thanks for your help.
  Cheers Gael

  Auth-proxy will authenticate the user only via HTTP, before they can send ANY traffic out. Going by your description this is not what you want.
  Lock-and-Key might be more what you want. See here for details:
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scflock.htm
  You could define an ACL to the inside interface allowing everything EXCEPT HTTP/HTTPS. Users doing FTP can just go straight out as normal then. Then define dynamic entries to this ACL that allow all traffic. For anyone to go out with HTTP/HTTPS they'd have to telnet to the router first, put in their login credentials, then they can browse out. Something like the following should work for you:
  interface ethernet0
  description Inside interface
  ip address 10.1.1.1 255.255.255.0
  ip access-group 101 in
  access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 80
  access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 443
  access-list 101 permit ip 10.1.1.0 0.0.0.255 any
  access-list 101 dynamic mytestlist timeout 120 permit ip any any
  line vty 0 4
  login local
  autocommand access-enable host timeout 5
  It takes a bit of user education in that they will have to be told how to use this (first telnet to the router at 10.1.1.1, login, then you can use HTTP traffic outbound), but should give you what you want.

• Ip auth-proxy form action is always IP address for HTTPS?

  I am trying to set up an ip auth-proxy on a 1840.
  It works, but results in https certificate error, as the authentication form is always submitted back to router using IP address in URL and not domain name that is in the certificate.
  ... <form method="post" action="https://10.10.10.11:443" target="pxywindow1"> ...
  Is there a way to make router send the form with domain name or at least relative URL and not IP address?
  With this certificate error, the feature cannot be possibly used in production environment.
  Thanks!
  Sergey

  Figured it out: I had not put in a default aaa authentication login default tacacas+ command. I didn't think it was necessary. I was wrong.

• ACS-Auth-proxy Security misconfig

  Hi,
  I have an issue with ACS and authentication proxy. It turns out that I want users to have only one session at a given time, but the ACS is allowing more than one session per user.
  Imagine the following sequence of events:
  1) user A logs in ok
  2) another user A tries to log in and is correctly blocked
  3) user B logs in ok
  4) another user B tries to log in and is correctly blocked
  5) If at this point another user A tries to log in, it is not blocked
  and I have the same user A account logged in twice.
  At this point, I can log another user B, without problem, resulting in two accounts conected for user B, wich is not what I want.
  The router config is attached.
  On the ACS Server, I have the User max session set to 1, and the auth-proxy priv-lvl is as follows:
  priv-lvl=15
  proxyacl#1=deny tcp any host 10.10.10.1 eq telnet ! this is to prevent users from telnetting into the rtr.
  proxyacl#2=permit ip any any
  proxyacl#3=permit icmp any any
  Any help you can provide, will be greatly appreciated.
  Regards,
  Eduardo

  Thanks for your reply, Darran.
  Yes, I have lines for accounting for things that I do not even plan to use, just to be on the safe side:
  aaa new-model
  aaa group server tacacs+ Oasis
  server 10.10.10.5
  aaa authentication login default group Oasis none
  aaa authorization exec default group Oasis none
  aaa authorization commands 15 default group Oasis none
  aaa authorization auth-proxy default group Oasis local
  aaa accounting send stop-record authentication failure
  aaa accounting auth-proxy default start-stop group Oasis
  aaa accounting commands 15 default start-stop group Oasis
  aaa accounting network default start-stop group Oasis
  aaa accounting system default start-stop group tacacs+ group Oasis
  aaa accounting resource default start-stop group Oasis
  aaa session-id common
  ip dhcp relay information trust-all
  ip dhcp excluded-address 10.10.10.1 10.10.10.10
  ip dhcp pool Oasis_dhcp
  import all
  network 10.10.10.0 255.255.255.0
  default-router 10.10.10.1
  dns-server xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
  lease infinite
  update arp
  ip auth-proxy auth-proxy-banner http
  ip auth-proxy auth-proxy-audit
  ip auth-proxy name acceso http inactivity-time 60
  ip admission auth-proxy-banner http
  ip admission auth-proxy-audit
  ip name-server xxx.xxx.xxx.xxx
  interface Vlan1
  description Switch Ethernet 4Ptos 10-100
  ip dhcp relay information trusted
  ip dhcp client update dns
  ip address 10.10.10.1 255.255.255.0
  ip access-group 150 in
  ip auth-proxy acceso
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip nat inside source list 20 interface Dialer1 overload
  Also, on the ACS, I have the Max sessions set to 1, but on the acs reports, I do not see any port re-used message.
  I have a lab with 4 pc?s and the ACS server (Win2003, standard).
  Again, thanks for your interest.
  Eduardo

• Ip auth−proxy

  Can somebody explain me meaning of follwoing commands in the link given below.
  1)aaa authentication login default local group RTP none
  In this command default is local will it prompt user to TACACS 1st.
  2)ip auth−proxy name list_a http and ip auth−proxy list_a
  what is the meaning of putting these command .
  3) access−list 116 permit tcp host 40.31.1.47 host 40.31.1.150 eq www
  why this access-list is required.
  4) there is no access-list from host to webserver ??
  3)
  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a0080094655.shtml

  1> This command will try first to authenticate using a local database (username john password 0 doe
  ) if it returns an error (if you dont set any username, I believe) it will try the TACACS server.
  2>ip auth-proxy name list_a http
  This command creates a named authentication proxy rule, and it allows you to associate that rule with an access control list (ACL), providing control over which hosts use the authentication proxy.
  Because an access list is not specified in the rule, all connection-initiating HTTP traffic is subjected to authentication.
  ip auth-proxy list_a
  The rule is applied to an interface on a router using this command
  3>
  ACL 116 is blocking traffic from the host 10.31.1.47 to other webservers (it only allows it to talk with the router).
  After authenticating , new lines will be added to the front of the ACL and then it will be allowed to talk to the webserver.
  HTH,
  rate this post if it does,
  vlad

• ASA UC proxy Failover Solution

  Hi,
  I have two ISP's at my disposal, one of the ASA is utilized as UC proxy and people from internet directly access call manager through the same..
  The UC proxy in ASA is configured with one of ISP's IP address block.
  In case ISP connected to ASA is down, the Unified communication services through internet fails..
  Request you to help me i providing solution for UC Proxy failover solution..
  Regards

  My configuration is given below ........please see it
  tls-proxy ASA-tls-proxy
  server trust-point _internal_PP_ctl_phoneproxy_file             
  ctl-file ctl_phoneproxy_file
                  record-entry capf trustpoint capf_trustpoint address 220.227.14.x
                  record-entry cucm-tftp trustpoint phoneproxy_trustpoint address 220.227.14.X
                   no shutdown             
                  media-termination my
                   address 10.60.1.92 interface lan
                  address 220.227.14.x interface wan
                 phone-proxy ASA-phone-proxy
                  media-termination my
                  tftp-server address 10.60.1.151 interface lan
                   tls-proxy ASA-tls-proxy
                 ctl-file ctl_phoneproxy_file
                   no disable service-settings
  if for soft phone there is some changes required then please share it . And also share the port ,,which should be opened for softphone communication

• How to tweak Web-Auth Policy timeout on WLC?

  Hello,
  Is it possible to change Web-Auth Policy timeout? Currently I am talking about 5508, but it could be WiSM also.
  Thank you.

  You need to be clear on what thing though, the webauth policy timeout has nothing to do with authenticated users.
  This is time we will wait on a client to perform a Webauthentication and move to a RUN state.
  If a user is hitting webauth timeout, they are going to be removed because they aren't a working client anyhow.
  The only exception to this pre-auth ACL I suppose where you want users do webauthenticate if they go outside of a specific webpage, but have unlimited access to that one page.
  Either way, I agree the timer needs to modifiable, but you need to make sure you're fighting for the right timer.
  If your clients are going to sleep and they Dissasocciate, of course they will have to reauth, the disassociate removed them from the enterprise network entirely.
  If they are sleeping though, and timing out because of a normal IDLE timeout (not web policy timeout), that is modifed on the Controller TAB of the GUI for "User Idle Timeout".

• Ip admission auth-proxy

  Platform:  881W
  IOS: C880-DATA-UNIVERSALK9-M 15.0(1)M3
  License:  I have tried both advsecurity and advipservices
  Problem:  Configuring an auth-proxy redirect on seccessful authentication
  Cisco's documentation states that when you are configuring auth-proxy, you may specify a url in which the clients will be redirected to when successfully authenticated.  The command is:
  ip admission proxy http success redirect <url-string>
  However, the command does not seem to exist on many of the latter IOS versions.  I am also unable to find any documentation with alternate methods of sending a redirection to the client after a successful authentication.  Is this command depricated?  Is there a more efficient method of redirecting?
  Documentation I am using:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swwebauth.html#wp1103789
  Thank you,
  Dan

  Hello,
  Can anyone here help me call a URL that has an image into my consent page?
  I have an html page in the flash of the router called consent_page.html Here are two diffent methods I am using to attempt to get the logo to show up in the consent page. Any ideas how to make this part work? Everything else works.
  http://www.officemax.com"> SRC="/logo.gif" ALT="Company" WIDTH=246 HEIGHT=48>
  http://www.officemax.com"> SRC="http://www.officemax.com/images//header/logo.png" ALT="OfficeMax" WIDTH=246 HEIGHT=48>
  Warning!
  The web site you have tried to access may not conform to the company's Acceptable Usage Policy
  If you want to continue to this website click the "Accept" button below to proceed which will give you temporary access to this website. Please note that all web access is monitored.
  Free Internet Hotspot
  Terms of Service Agreement
  Company provides free Internet access under the condition that you agree to abide by the restrictions below.
  Responsibility of Use
  You are responsible for all content distributed, accessed, or viewed while connected to this service. Company is not liable for your actions while using this service.
  Limitation of Liability
  Company is not liable for any damages which result from your use of this service.

• What is the default web-auth required timeout period?

  Hi,
  As according to the cisco config example. (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml),
  it says:
  If clients are in Webauth_Reqd state, no matter if they are active or idle, the clients will get de-authenticated after a
  web-auth required timeout period (for example, 300 seconds and this time is non-user configurable). All traffic from the client (allowed via Pre-Auth ACL) will be disrupted. If the client associates again, it will move back to the Webauth_Reqd state. If clients are in Webauth_Reqd state, no matter if they are active or idle, the clients will get de-authenticated after a web-auth required timeout period (for example, 300 seconds and this time is non-user configurable). All traffic from the client (allowed via Pre-Auth ACL) will be disrupted. If the client associates again, it will move back to the Webauth_Reqd state.
  What is the default web-auth required timeout period stated in the example?
  Many thanks.

  Hi,
  Yes it is 300 seconds and non-configurable to prevent DOS by depleting IP address on Guest wlan/vlan. There is an enhancement request filed esp. for your situation with Pre-auth ACL.
  CSCtj32812    DHCP Option to mitigate the problem of guest client rejoining network
  Thanks.Salil
  CSCtj32812    DHCP Option to mitigate the problem of guest client rejoining network CSCtj32812    DHCP Option to mitigate the problem of guest client rejoining network

• ABAP Proxy Timeout

  Hi!
  I have this scenario:
  SAPR3 (A.Proxy) -> XI ->SOAP
  SAP R3 sends Sync Messages to XI, through ABAP proxy, which starts a BPM, this BPM calls a WebService that sometimes takes more than one minute to give a response.
  When the process reaches "Close S/A Bridge", it raises a Timeout Exception.
  I have already increased HTTP_TIMEOUT in SXMB_ADM and icm/keep_alive_timeout in SMICM, in XI with no effect.
  Do i need to change other parameter? Maybe in SAP R3?

  Hi Jose,
  go through tuning guide of XI (Once i find the link i update this thread ). The HTTP timeout property can be used for SOAP as well as the underlying transport protocol is http for SOAP messages too. That might help.
  Also, the second thing you could do is that by default the Web service client socket timeout is set to 60. Try changing this parameter in the Visual Administrator: Server -> Services -> Web Services Container on the Settings tab.
  Regards
  joel.

• ABAP Proxy timeout issue

  Hi,
  I have a scenario in where I provide a web service. I get called by this web service and then call a abap proxy (synch). The abap side takes time to gather the data. after 600 secs, the connection gets a timeout.
  It says, "500 Connection timed out"
  "Detail: Connection to partner timed out after 600s"
  In smicm I increased the HTTP value to 9000. So, how do I get this error?
  Parameters are like below in PI:
  icm/server_port_0     = PROT=HTTP,PORT=50000,TIMEOUT=90,PROCTIMEOUT=9000
  icm/keep_alive_timeout (sec.)  = 50
  icm/conn_timeout (msec.)       = 5000
  xiadapter.inbound.timeout.default = 5400000

  Hi,
  Check if you are getting some short dumps in ABAP side due to this timeout in ST22.
  Probably the issue is the work process time out  in the ABAP side as you mentioned it takes more time to gather data. the profile parameter is rdisp/max_wprun_time  and it has default value of 600 seconds. if thats the case then you can increas it.
  regards,
  francis

• ABAP Client Proxy Timeout

  Dear all,
  A ABAP Client proxy has been generated to connect non-SAP web service. It runs successfully except it may time out when the web service method is running too long (over 1 minute).
  We know timeout/keepalive value can be set at the ICM timeout parameter by using Tcode RZ11. However, can we set it at ABAP code? It is more convenient to override server settings.
  Thanks!
  Regards,
  Thomas

  Hi,
  do changes as below
  In SXMB_ADM
  go to Configure Integration server
  in  change specific identifiers Set Runtime parameter: HTTP_TIMEOUT and then restart XI server, changes will be updated.
  Regards,
  Sukarna.

• ASA auth-prompt prompt Please login: doesn't display the “user acceptance a

  The following example shows the output of the show running-config auth-prompt command:
  hostname(config)# show running-config auth-prompt
  auth-prompt prompt Please login:
  auth-prompt accept You're in!
  auth-prompt reject Try again.
  hostname(config)#
  I have to have a “user acceptance agreement” when logging in to VPN on a Cisco ASA 5520 ver7.2(3) I have configured it properly but when I login I never get the prompt
  XXXXXX/pri/act# show running-config auth-prompt
  auth-prompt prompt Please login:
  auth-prompt accept You're in!
  auth-prompt reject Try again.

  We are using the ASA like a VPN Concetrator. I have it set up were users login to it and establish a VPN and authenticate against an RSA token server.
  The routing and the tunnels work fine and the users do get authenticated but they never receive a propmt banner or what ever you want to call it like they do when they logon via 3030 or similar.
  I even tried as you suggested and used this config they should get a banner after a successful logon but they dont. Any ideals?
  banner login =====================================================================
  banner login You are attempting to connect to a restricted system. Connections
  banner login to and from this system are logged. Please disconnect now if you
  banner login are not an authorized user of this system.
  banner login =====================================================================

• Sync inbound java proxy timeout

  Hi all
  my scenario abap proxy to java proxy sync.
  but i had timeout error with some bulk data, but not too big...
  does anyone know how to increase time for inbound java proxy? 
  regards;
  dennis

  Dear Ogawa,
  Please if you have step by step document please send me .
  i am getting this error in my scenario:
  I am working on Java server proxy, In my scenario i am picking a file from sender File Adapter and in Receiver side i am using java proxy (Inbound). But in SXMB_MONI , it give me the Error and Error no is :110
  See the Detailed Error in Call Adapter.
  <?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
  - <!-- Call Adapter
  -->
  - <SAP:Error xmlns:SAP="http://sap.com/xi/XI/Message/30" xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/" SOAP:mustUnderstand="">
  <SAP:Category>XIServer</SAP:Category>
  <SAP:Code area="INTERNAL">CLIENT_RECEIVE_FAILED</SAP:Code>
  <SAP:P1>110</SAP:P1>
  <SAP:P2 />
  <SAP:P3 />
  <SAP:P4 />
  <SAP:AdditionalText />
  <SAP:ApplicationFaultMessage namespace="" />
  <SAP:Stack>Error while receiving by HTTP (error code: 110, error text: )</SAP:Stack>
  <SAP:Retry>A</SAP:Retry>
  </SAP:Error>
  Please help me .
  Regards
  Lateef

• Socket proxy timeout

  Hi,
  I'm currently using:
  mysock.connect(sockaddr, 2000);
  to set socket connection timeout.
  Everything works fine until i set a proxy:
  System.setProperty("socksProxySet", "true");
  System.setProperty("socksProxyHost", "proxy");
  System.setProperty("socksProxyPort", "port");
  Can i also set connection timeout for the proxy?

  ejp wrote:
  Oops I agree you are correct, it's there in 1.5 too. But does that propagate the 'closed' flag back to Socket?I think so, but I'm not sure. PlainSocketImpl extends SocketImpl. SocketImpl has a reference to the Socket, and close in PlainSocketImpl has this comment:
  * We close the FileDescriptor in two-steps - first the
  * "pre-close" which closes the socket but doesn't
  * release the underlying file descriptor. This operation
  * may be lengthy due to untransmitted data and a long
  * linger interval. Once the pre-close is done we do the
  * actual socket to release the fd.
  */It's hard to see if it call close on the Socket since socketPreClose and socketClose invokes native methods.