Hi Kings, A said to Eugene that in this case direct auth will not work because ASA thinks that this is ASDM connection. enable logging and see the messages.
Regards, Piotr 2012/1/5 Kingsley Charles <[email protected]> > Hi Piotr > > Has Direct authentication worked for you? I have tried pointing my browser > to the outside interface IP with both http port 8080 and https port 4443 > but doesn't work with the following configuration. > > aaa authentication listener http outside port 8080 redirect > aaa authentication listener https outside port 4443 redirect > > With regards > Kings > > > On Thu, Jan 5, 2012 at 12:45 PM, Piotr Matusiak <[email protected]> wrote: > >> OK, so it should also work without virtual IP but you must connect to >> something behind the ASA. If you want to authenticate your users connecting >> to the ASA you must use virtual IP. >> >> Regards, >> Piotr >> >> >> >> 2012/1/5 Eugene Pefti <[email protected]> >> >>> Thanks, Piotr,**** >>> >>> I thought that “virtual http” and “authentication listener” are two >>> different methods. And using “virtual http” requires an additional IP >>> address which is luxury in my case ;)**** >>> >>> ** ** >>> >>> Eugene**** >>> >>> ** ** >>> >>> *From:* Piotr Matusiak [mailto:[email protected]] >>> *Sent:* 04 January 2012 04:04 >>> *To:* Eugene Pefti >>> *Cc:* ccie security >>> *Subject:* Re: [OSL | CCIE_Security] Cut-through proxy authentication >>> with HTTP redirection**** >>> >>> ** ** >>> >>> Hi Eugene, >>> >>> The ASA tries to open up ASDM connection. >>> >>> To achieve what you want configure the following: >>> >>> virtual http 192.168.1.99 >>> aaa authentication listener https inside port 1111 redirect >>> >>> >>> Then you'll be able to connect to https://192.168.1.99 and be >>> redirected to port 1111 >>> >>> Regards, >>> Piotr >>> >>> **** >>> >>> 2012/1/4 Eugene Pefti <[email protected]>**** >>> >>> Hello everyone,**** >>> >>> I started the New year with my resolution to get back to CCIE studies >>> and immediately I was challenged by the client of us asking to configure >>> them network access controls with cut-through proxy authentication.**** >>> >>> Their particular task was to authentication the traffic that is not part >>> of four well-known protocols (FTP, Telnet, HTTP and HTTPs) that would >>> trigger authentication in the classic situation.**** >>> >>> They need to authenticate RDP and SSH traffic through the ASA and I >>> followed this document published at Cisco support forum:**** >>> >>> https://supportforums.cisco.com/docs/DOC-14842**** >>> >>> **** >>> >>> My intention was to have users open their web browser, connect to the >>> ASA interface IP address via HTTPS, authenticate and voila, the RDP and SSH >>> traffic defined in the authentication ACL would be authenticated.**** >>> >>> **** >>> >>> I.e.**** >>> >>> access-list CTP_AUTH extended permit tcp any any eq https >>> access-list CTP_AUTH extended permit tcp any any eq 3389 >>> access-list CTP_AUTH extended permit tcp any any eq ssh **** >>> >>> **** >>> >>> aaa authentication match CTP_AUTH inside LOCAL**** >>> >>> aaa authentication listener https inside port 1111**** >>> >>> **** >>> >>> Then I go to https://192.168.1.200:1111 (where 192.168.1.200 is the ASA >>> inside IP address) to authentication against a local user database and it >>> doesn't work. The ASA rewrites the URL and says "File not found".**** >>> >>> I don't want to use virtual HTTP for the reasons described in the above >>> said document. Am I missing something? Is it really an approvement or just >>> a documentation defect misleading people ?**** >>> >>> **** >>> >>> Eugene**** >>> >>> **** >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com**** >>> >>> ** ** >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
