Correct me if I am wrong. Virtual http or telnet uses the ip address of the ASA and the aaa listen uses conection through the ASA to authenticate
El 05/01/2012, a las 08:43 a.m., Piotr Matusiak <[email protected]> escribió: > Hi Kings, > > A said to Eugene that in this case direct auth will not work because ASA > thinks that this is ASDM connection. > enable logging and see the messages. > > Regards, > Piotr > > > 2012/1/5 Kingsley Charles <[email protected]> > Hi Piotr > > Has Direct authentication worked for you? I have tried pointing my browser to > the outside interface IP with both http port 8080 and https port 4443 but > doesn't work with the following configuration. > > aaa authentication listener http outside port 8080 redirect > aaa authentication listener https outside port 4443 redirect > > With regards > Kings > > > On Thu, Jan 5, 2012 at 12:45 PM, Piotr Matusiak <[email protected]> wrote: > OK, so it should also work without virtual IP but you must connect to > something behind the ASA. If you want to authenticate your users connecting > to the ASA you must use virtual IP. > > Regards, > Piotr > > > > 2012/1/5 Eugene Pefti <[email protected]> > Thanks, Piotr, > > I thought that “virtual http” and “authentication listener” are two different > methods. And using “virtual http” requires an additional IP address which is > luxury in my case ;) > > > > Eugene > > > > From: Piotr Matusiak [mailto:[email protected]] > Sent: 04 January 2012 04:04 > To: Eugene Pefti > Cc: ccie security > Subject: Re: [OSL | CCIE_Security] Cut-through proxy authentication with HTTP > redirection > > > > Hi Eugene, > > The ASA tries to open up ASDM connection. > > To achieve what you want configure the following: > > virtual http 192.168.1.99 > aaa authentication listener https inside port 1111 redirect > > > Then you'll be able to connect to https://192.168.1.99 and be redirected to > port 1111 > > Regards, > Piotr > > > 2012/1/4 Eugene Pefti <[email protected]> > > Hello everyone, > > I started the New year with my resolution to get back to CCIE studies and > immediately I was challenged by the client of us asking to configure them > network access controls with cut-through proxy authentication. > > Their particular task was to authentication the traffic that is not part of > four well-known protocols (FTP, Telnet, HTTP and HTTPs) that would trigger > authentication in the classic situation. > > They need to authenticate RDP and SSH traffic through the ASA and I followed > this document published at Cisco support forum: > > https://supportforums.cisco.com/docs/DOC-14842 > > > > My intention was to have users open their web browser, connect to the ASA > interface IP address via HTTPS, authenticate and voila, the RDP and SSH > traffic defined in the authentication ACL would be authenticated. > > > > I.e. > > access-list CTP_AUTH extended permit tcp any any eq https > access-list CTP_AUTH extended permit tcp any any eq 3389 > access-list CTP_AUTH extended permit tcp any any eq ssh > > > > aaa authentication match CTP_AUTH inside LOCAL > > aaa authentication listener https inside port 1111 > > > > Then I go to https://192.168.1.200:1111 (where 192.168.1.200 is the ASA > inside IP address) to authentication against a local user database and it > doesn't work. The ASA rewrites the URL and says "File not found". > > I don't want to use virtual HTTP for the reasons described in the above said > document. Am I missing something? Is it really an approvement or just a > documentation defect misleading people ? > > > > Eugene > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
