Thanks, Piotr, I thought that "virtual http" and "authentication listener" are two different methods. And using "virtual http" requires an additional IP address which is luxury in my case ;)
Eugene From: Piotr Matusiak [mailto:[email protected]] Sent: 04 January 2012 04:04 To: Eugene Pefti Cc: ccie security Subject: Re: [OSL | CCIE_Security] Cut-through proxy authentication with HTTP redirection Hi Eugene, The ASA tries to open up ASDM connection. To achieve what you want configure the following: virtual http 192.168.1.99 aaa authentication listener https inside port 1111 redirect Then you'll be able to connect to https://192.168.1.99 and be redirected to port 1111 Regards, Piotr 2012/1/4 Eugene Pefti <[email protected]<mailto:[email protected]>> Hello everyone, I started the New year with my resolution to get back to CCIE studies and immediately I was challenged by the client of us asking to configure them network access controls with cut-through proxy authentication. Their particular task was to authentication the traffic that is not part of four well-known protocols (FTP, Telnet, HTTP and HTTPs) that would trigger authentication in the classic situation. They need to authenticate RDP and SSH traffic through the ASA and I followed this document published at Cisco support forum: https://supportforums.cisco.com/docs/DOC-14842 My intention was to have users open their web browser, connect to the ASA interface IP address via HTTPS, authenticate and voila, the RDP and SSH traffic defined in the authentication ACL would be authenticated. I.e. access-list CTP_AUTH extended permit tcp any any eq https access-list CTP_AUTH extended permit tcp any any eq 3389 access-list CTP_AUTH extended permit tcp any any eq ssh aaa authentication match CTP_AUTH inside LOCAL aaa authentication listener https inside port 1111 Then I go to https://192.168.1.200:1111 (where 192.168.1.200 is the ASA inside IP address) to authentication against a local user database and it doesn't work. The ASA rewrites the URL and says "File not found". I don't want to use virtual HTTP for the reasons described in the above said document. Am I missing something? Is it really an approvement or just a documentation defect misleading people ? Eugene _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
