ASA cut through proxy with RADIUS challenge response?

Similar Messages

• ASA Cut through proxy configuration

  Hi guys,
  I would like to configure limited internet access to olnly a select group of Windows AD users.
  I beleive cut-through proxy will allow me to do this, just not sure how to configure it on a Cisco ASA-5510
  thanks

  The link given will definitely work however you would not be able to select access based on the AD group, if that is what you need to achieve and you have ASA version 8.0 you can work Cut-Through-Proxy together with DAP.
  Using Cut-Trough-Proxy with a standard authentication server will only allow or reject depending on the authentication result, but any user within your AD schema will be able to get internet access. If you need to restrict this based o Windows Groups as well your best shot is Cut-Through-Proxy with DAP and LDAP:
  http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

• ASA - cut through proxy authentication for RDP?

  I know how to set this up on a router (dynamic access-list - lock and key)... But, I'm having trouble understanding how to setup OUTSIDE to INSIDE cut through proxy authentication for RDP.
  OUTSIDE to INSIDE RDP is currently working.
  I have 2 servers I want RDP open for..
  [*]OUTSIDE 1.1.1.1 to INSIDE 10.10.70.100
  [*]OUTSIDE 1.1.1.2 to INSIDE 10.10.50.200
  What's required for OUTSIDE users  to authenticate on the ASA before allowing port 3389 opens? I was hoping for is a way to SSH into this ASA, login with a special user, then have the ASA add a dynamic ACE on the OUTSISE interface to open 3389 for a designated time limit. Is this possible?
  Here is my current config.
  [code]
  ASA Version 8.2(5)
  hostname ASA5505
  names
  name 10.10.0.0 LANTraffic
  name 10.10.30.0 SALES
  name 10.10.40.0 FoodServices
  name 10.10.99.0 Management
  name 10.10.20.0 Office
  name 10.10.80.0 Printshop
  name 10.10.60.0 Regional
  name 10.10.70.0 Servers
  name 10.10.50.0 ShoreTel
  name 10.10.100.0 Surveillance
  name 10.10.90.0 Wireless
  interface Ethernet0/0
  description TO INTERNET
  switchport access vlan 11
  interface Ethernet0/1
  description TO INSIDE 3560X
  switchport access vlan 10
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  interface Vlan1
  no nameif
  security-level 50
  no ip address
  interface Vlan10
  description Cisco 3560x
  nameif INSIDE
  security-level 100
  ip address 10.10.1.1 255.255.255.252
  interface Vlan11
  description Internet Interface
  nameif OUTSIDE
  security-level 0
  ip address 1.1.1.1 255.255.255.224
  ftp mode passive
  clock timezone PST -8
  clock summer-time PDT recurring
  dns domain-lookup OUTSIDE
  dns server-group DefaultDNS
  name-server 8.8.8.8
  name-server 4.2.2.2
  domain-name test.local
  access-list RDP-INBOUND extended permit tcp any host 1.1.1.1 eq 3389
  access-list RDP-INBOUND extended permit tcp any host 1.1.1.2 eq 3389
  pager lines 24
  logging enable
  logging timestamp
  logging trap warnings
  logging device-id hostname
  logging host INSIDE 10.10.70.100
  mtu INSIDE 1500
  mtu OUTSIDE 1500
  ip verify reverse-path interface OUTSIDE
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-645.bin
  no asdm history enable
  arp timeout 14400
  global (OUTSIDE) 1 interface
  nat (INSIDE) 1 LANTraffic 255.255.0.0
  static (INSIDE,OUTSIDE) tcp interface 3389 10.10.70.100 3389 netmask 255.255.255.255
  static (INSIDE,OUTSIDE) tcp 1.1.1.2 3389 10.10.50.200 3389 netmask 255.255.255.255
  access-group RDP-INBOUND in interface OUTSIDE
  route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
  route INSIDE LANTraffic 255.255.0.0 10.10.1.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http Management 255.255.255.0 INSIDE
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh 10.10.70.100 255.255.255.255 INSIDE
  ssh Management 255.255.255.0 INSIDE
  ssh 0.0.0.0 0.0.0.0 OUTSIDE
  ssh timeout 5
  ssh version 2
  console timeout 0
  threat-detection basic-threat
  threat-detection scanning-threat shun
  threat-detection statistics access-list
  threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
  webvpn
  username scott password CNjeKgq88PLZXETE encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:1e9d278ce656f22829809f4c46b04a07
  : end
  [/code]

  You're running ASA 8.2(5). In 8.4(2) Cisco added support for what they call Identity Firewall rules. That is, you can make access-lists entries specific to users (or object groups containing users).
  There's an overview document on this posted here. It's a bit dated but I believe the only change is that Cisco is now preferring use of the more current Context Directory Agent (CDA) - a free VM they provide - vs. the deprecated AD agent (software service that runs on your DC).

• ASA - Cut-through proxy probleme

  I have to configure my ASA 7.2.2 for cut-through proxy but when the users use authentication prompt ,
  but only , for (http://1.1.0.2/netaccess/connstatus.html) the ASA send the following message:
  User Authentication
  User Authentication is not required.
  help me
  it is ok when one uses cut-through-proxy by ACL :
  access-list ACL_INT extended permit tcp object-group PC-UAUTH_DYN host MVINCT19 eq www
  access-list ACL_AUTH line 1 extended permit tcp host poste_auvinet host MVINCT19 eq www
  aaa-server auth_inside protocol radius
  aaa-server auth_inside host SVR-ACS-IN
  key xxx
  username admin password xxx privilege 15
  aaa authentication match ACL_AUTH inside auth_inside
  aaa authentication listener http inside port www
  on a pix 525 is OK

  Hi,
  The config looks good. Please remember that successful authentication is cached (show uauth) and till it expires user will not need to authenticate again.
  Please clear uauth and see if it helps.
  Regards,
  Vivek

• Hasn't anyone out here worked with cut-through proxy

  hasn't enyone out here worked with cut-through proxy with acs. is there no one out here to help me out with cut-through proxy.
  sebastan

  Hi Sebastan,
  For your case, what's the scenario looks like?
  Rgds,
  AK

• ASA Cut Through (Authentication) Proxy for a Single ACL

  I have a customer that wants to authenticate users at the ASA before being allowed access from the outside into a payroll server on the DMZ.  I am aware of the cut through proxy feature, but doesn't that affect all traffic entering the DMZ?  Is there a way to only authenticate users accessing one server?

  Hi,
  Seems to me the easiest way to do this is you are connecting to the destination server with either Browser or CLI based connection.
  For example if its a browser based connection then you could configure
  username password privilege
  access-list PROXY-AUTH extended permit tcp any host eq http
  access-list PROXY-AUTH extended permit tcp any host eq https
  access-list PROXY-AUTH extended deny ip any any
  aaa authentication match PROXY-AUTH LAN LOCAL
  I don't think you even need the "deny" statement since there is an implicit deny at the end of each ACL
  Where "LAN" is my interface "nameif" connect to my LAN network.
  To my understanding if you are using some application for this connection that doesnt apply in this situation then you would have to configure this in another way and the user would have to first connect manually to the ASA for authentication and would then be allowed to connect to the resource.
  Have a look at this document for some help
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml
  Hope this helps
  - Jouni

• Strange problem with cut-through proxy

  hi
  i have configured cut- through proxy on the router with acs.i am facing a strange problem .
  my routers's ethernet 3/0 interface ip add is 10.1.1.1/24 and the acs server is 10.1.1.2/24 and the host ip is 10.1.1.3/24
  my routers' e2/0 interface is connected a server running a website .
  int e2/0
  no shutdown
  ip add 20.1.1.1/24
  exit
  the webserver is running on 20.1.1.2
  my router's config
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authorization auth-proxy default group tacacs+
  aaa authorization exec default group tacacs+
  tacacs-server host 10.1.1.2
  tacacs-server key cisco
  ip http server
  ip http authentication aaa
  ip access-list 101 permit tcp host 10.1.1.2 eq tacacs host 10.1.1.1
  ip auth-proxy name auth http
  int e3/0
  no shutdown
  ip add 10.1.1.1/24
  ip access-group 101 in
  ip auth-proxy auth
  exit
  on the acs server in the tacacs+ ios
  i have selected auth-proxy in the services for users and groups
  i have created a user john with privilege level 15
  have selected auth-proxy and custom attributes
  proxyacl#1=permit tcp any any priv-lvl=15
  i get the auth-proxy login page when the host on 10.1.1.3 is trying to access 20.1.1.2 web site .
  after putting the login credentials i get authentication failed
  i tried the debug. i see the router is sending the authentication login and password and getting the status from the acs as pass. i also see the auth-proxy triggered. in there i see
  AUTH-PROXY PROTOCOL NOT CONFIGURED.
  could someone pls help me what could be the problem. i am have tried many times to get this work. but not fortunate enough.
  am i missing on any commands on the router or on the acs. i tried doing as the example mentioned in the student guide but still failed. pls help. waiting for some reply.
  sebastan

  Check out the following link...
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b5e.html

• Pix cut-through proxy

  a quick question since I do not have access to a pix I can not confirm it
  say, I want to do pix cut-through proxy and authenticate access via tacacs on per user basis.
  I want the user to access smtp user inside the pix will go through tacacs authentication.
  my question is "do I need a statement for http on the access-list ?"
  thank you.
  here is the config
  PIX-525# wr t
  PIX Version 6.3(1)
  access-list 100 permit tcp any host 155.1.1.4 eq http
  access-list 100 permit tcp any host 155.1.1.4 eq smtp
  access-list 150 permit tcp any host 155.1.1.4 eq http
  access-list 150 permit tcp any host 155.1.1.4 eq smtp
  access-group 100 in interface outside
  static (inside,outside) 155.1.1.4 192.168.1.4 netmask 255.255.255.255 0 0
  aaa-server AUTHEN protocol tacacs
  aaa authentication match 150 outside AUTHEN

  Cut-through proxy is a feature unique to PIX Firewall that allows user-based authentication of inbound or outbound connections. A proxy server analyzes every packet at layer seven of the OSI model, which is a time- and processing-intensive function. By contrast, the PIX Firewall uses cut-through proxy to authenticate a connection and then allow traffic to flow quickly and directly.
  http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172790.html

• Cut-Through Proxy / Authentication Proxy on Cisco ASA using ISE as AAA Server for allocating SGTs

  Hi,
  We are trying to setup ASA to do cut-through authentication proxy, and use ISE as RADIUS. We can successfully authenticate the user from Radius on the ASA, while he opens a web-page, but then it displays the error: authorization denied.
  What we want:
  ISE to allocate a security group tag to the user session when he logs in, that tag would carried within out cisco network infrastrucutre to define the access
  policy for that user.
  Can someone please help me with a sort of step by step thing for ISE configuration to allocate SGTs/SGACL for the user session after authentication is completed.
  Thanks
  Lovleen

  Please refer to below step by step config guide for security group access policies
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_sga_pol.html

• ASA , Cisco VPN client with RADIUS authentication

  Hi,
  I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
  All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
  Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
  Thank you.
  Kind regards,
  Alex

  Hi Alex,
  It is working as it should.
  You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
  thanks
  John

• Does Juniper have anything similar to Cisco's 'cut-thru proxy?

  Has anyone configured a Juniper to authorize users 'thru' a firewall?
  Sent from Cisco Technical Support iPad App

  Hi Bro
  You're lucky I'm in a good mood today. Normally, I won't answer questions pertaining to non Cisco products, because I have less faith in them but I guess I'll answer your question.
  Yes, Juniper Netscreen FW do have similar feature with Cisco Cut-Through Proxy. It's called WebAuth. For further details on this, please click on this URL http://kb.juniper.net/InfoCenter/index?page=content&id=KB4103
  Here are some extra info for you :-)
  a) Only FTP/Telnet/HTTP are supported if you want to have transparent interception.
  OR
  b) If you want to let all users to be authenticated first then the option is WebAuth in which user has to manually type in the WebAuth Server IP Address configured at NetScreen to authenticate themselves before they are granted access to any services
  c) Only Local Database, RADIUS and LDAP authentication source are supported (No TACACS support as opposed to PIX/ASA)
  P/S: if you think this comment is useful, please mark this question as answers and rate this comment nicely :-)

• Cut-through/direct authentication connection being denied

  I'm trying to set up a firewall so an outside user can authenticate to the firewall, then RDP directly to a workstation.
  Here's what I've got:
  aaa authentication match authmatch outside LOCAL
  aaa authentication listener http outside port 5555
  access-list authmatch extended permit tcp any host 111.111.111.162 eq 3391
  access-list authmatch extended permit tcp any host 111.111.111.162 eq 5555
  static (inside,outside) tcp interface 3391 192.168.1.101 3389 netmask 255.255.255.255
  I can connect to the web page and authenticate successfully.
  6          Aug 21 2012          06:00:33                    222.222.222.146          0 222.222.222.146          0          Authentication succeeded for user 'USER1' from 222.222.222.146/0 to 222.222.222.146/0 on interface outside
  But, when I try to RDP in on 3391, it's not hitting the authmatch access list.   It's hitting the outside_access_in access list and it's denied by the default deny.
  4          Aug 21 2012          06:04:26 222.222.222.146          50414 111.111.111.162          3391          Deny tcp src outside:222.222.222.146/50414 dst inside:111.111.111.162/3391 by access-group "outside_access_in" [0x0, 0x0]
  Why won't it hit the correct access-list?
  Thanks,
  - Marc

  Hello Marc,
  What Karthik is telling you is the following:
  -The cut through proxy adds additional control regarding the connections across your firewall, this by using the ASA as a proxy but you still need to allow the traffic on the proper ACL's on the interfaces of your ASA.
  So just create an ACL entry into the outside acl permiting traffic to port 3391, of course only the users authenticated will succesfully connect
  Regards,
  Remember to rate all the helpful posts
  Julio
  CCSP

• LEAP Radius proxy with PEAPv0

  I'm doing a lab using Cisco ACS 4.1 LEAP Proxy RADIUS External User Databaser, and works fine but I don't understand why. So, I don't know if it's a stable solution.
  I have the following scenario:
  WinXP SP2
  PEAPv0 (EAP-MSCHAPv2)
  |
  v
  Cisco 3640
  802.1x Wired Port Access Control
  |
  v
  Cisco ACS 4.1
  External User Database
  LEAP Proxy RADIUS
  |
  v
  Freeradius 2.0.1
  MS-CHAPv1 user + MPPE MS Extension
  I'm using the native WinXP SP2 802.1x supplicant client (EAP-MSCHAPv2), to link a Cisco 3640 FE port protected by dot1x. The IOS is configured to authenticate with a Cisco ACS 4.1, where I'm created a user that use as External User Database a LEAP Proxy RADIUS, with destination a Freeradius in the Backend.
  Then, I configured the Freeradius to authenticate the user using MSCHAPv1 (+ MS-CHAP-MPPE-Keys with the use_mppe parameter option set in the config). And it works!
  So, my question are:
  1) Does the Cisco ACS LEAP Proxy RADIUS feature work also with PEAPv0?
  3) Does the ACS internally translate the MSCHAPv2 challenge response to a MSCHAPv1 challenge response? Are they compatible?
  2) Is this a stable solution?
  Regards
  FP

  Thanks four your reply, but I'm sure the ACS can internaylly translate the challenges, because my lab works. Please remember, my WinXP is configured to use MSCHAPv2, and my Freeradius is configured to use MSCHAPv1. The only restrinctions they have, are that the Freeradius have to send the MS-CHAP-MPPE-Keys, and the Cisco ACS has to be configured to use LEAP Proxy RADIUS as External Database User.
  Another interesting test I did, was modify in the freeradius response the MS-CHAP-MPPE-Keys (changing the rlm_mschap module). Normally it's composed by 8 bytes from LM-Password (a hash of the plain password) and 16 bytes from NT-Password (another hash of the plain password). Changing with zeros the LM-Password portion, the authentication still works! But changing one byte of the NT-Password portion, the authentication fails... so, only the NT-Password is needed to proxy MSCHAPv2 to MSCHAPv1..
  My problem is, that my backend RADIUS only support MSCHAPv2, and I need to put the Cisco ACS in the Frontend. So, the question is, is teorically possible to proxy MSCHAPv1 to MSCHAPv2? If it's possible, probably I will use a Freeradius to work as a proxy between them...

• Web-Proxy(cut-through) without ACS on 55xx

  Is it possible? All I have read about it requires an external server.

  I think that is a limitation of IOS Auth-Proxy and not ASA/PIX Cut-Through.
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfauthp.htm#wp1001164
  However AFAIK you can only authenticate using local password database and not authorize using it (for CUT-THRUOGH). Have a look at this table:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wp1069492
  Please rate if helpful.
  Regards
  Farrukh

• OSB 11g with  PASS-THROUGH PROXY

  hello all,
  I my designing on latest Fusion Middleware 11g Release 1 (11.1.1.5.0)
  a http soap based osb proxy service wraped around owsm saml2.0- sender- vouches-message-protection service policy
  a http soap based osb business service wrapped around owsm saml2.0- sender- vouches-message-protection client policy
  a standalone client is calling this Passive Intermediary Proxy
  In case of pass-through proxy service,
  I would like to know that is it necessary that the policy contract between client --->proxy should be similar to proxy--->backend
  I think so, because proxy is not atall touching the entire stuff starting from <soap:envelope>.........</soap:envelope>
  So client-sent tokens etc. must match with what back end service requires.
  In general, what am I buying by routing the client call through pass-through proxy service if the back-end webservice requires that entire message must by encrypted. In this case there is nothing open for the proxy to view and make any decisions based on that through its pipeline pairs etc.

  Check out the following link...
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b5e.html