Eugene, Here's the config you're probably looking for:
access-list CTP extended permit tcp any any eq 3389 access-list CTP extended permit tcp any any eq 2222 ! aaa authentication match CTP inside LOCAL aaa authentication listener https inside port 2222 redirect With this confing your users can connect directly to the ASA's Inside IP address using the following url: https://10.1.1.10:2222/netaccess/loginuser.html Regards, Piotr 2012/1/5 Eugene Pefti <[email protected]> > Ok, we almost did it.**** > > Whatever new about CTP is published at different sources say the > technology is still the same – the PIX/ASA authentication kicks in whenever > there’s a through traffic.**** > > It would be a great feature to have a direct authentication without > “virtual HTTP” for two reasons:**** > > **1) **It could be secure via HTTPs **** > > **2) **No need for an additional IP address**** > > ** ** > > Eugene**** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Piotr Matusiak > *Sent:* 05 January 2012 09:00 > *To:* Diego Cambronero > > *Cc:* ccie security > *Subject:* Re: [OSL | CCIE_Security] Cut-through proxy authentication > with HTTP redirection**** > > ** ** > > Nope, Virtual IP is a different IP address where ASA will listen on. > > **** > > 2012/1/5 Diego Cambronero <[email protected]>**** > > Correct me if I am wrong. Virtual http or telnet uses the ip address of > the ASA and the aaa listen uses conection through the ASA to authenticate > > **** > > > El 05/01/2012, a las 08:43 a.m., Piotr Matusiak <[email protected]> escribió: > **** > > Hi Kings, > > A said to Eugene that in this case direct auth will not work because ASA > thinks that this is ASDM connection. > enable logging and see the messages. > > Regards, > Piotr > > **** > > 2012/1/5 Kingsley Charles <[email protected]>**** > > Hi Piotr > > Has Direct authentication worked for you? I have tried pointing my browser > to the outside interface IP with both http port 8080 and https port 4443 > but doesn't work with the following configuration. > > aaa authentication listener http outside port 8080 redirect > aaa authentication listener https outside port 4443 redirect > > With regards > Kings**** > > ** ** > > On Thu, Jan 5, 2012 at 12:45 PM, Piotr Matusiak <[email protected]> wrote:*** > * > > OK, so it should also work without virtual IP but you must connect to > something behind the ASA. If you want to authenticate your users connecting > to the ASA you must use virtual IP. > > Regards, > Piotr**** > > > > **** > > 2012/1/5 Eugene Pefti <[email protected]>**** > > Thanks, Piotr,**** > > I thought that “virtual http” and “authentication listener” are two > different methods. And using “virtual http” requires an additional IP > address which is luxury in my case ;)**** > > **** > > Eugene**** > > **** > > *From:* Piotr Matusiak [mailto:[email protected]] > *Sent:* 04 January 2012 04:04 > *To:* Eugene Pefti > *Cc:* ccie security > *Subject:* Re: [OSL | CCIE_Security] Cut-through proxy authentication > with HTTP redirection**** > > **** > > Hi Eugene, > > The ASA tries to open up ASDM connection. > > To achieve what you want configure the following: > > virtual http 192.168.1.99 > aaa authentication listener https inside port 1111 redirect > > > Then you'll be able to connect to https://192.168.1.99 and be redirected > to port 1111 > > Regards, > Piotr**** > > 2012/1/4 Eugene Pefti <[email protected]>**** > > Hello everyone,**** > > I started the New year with my resolution to get back to CCIE studies > and immediately I was challenged by the client of us asking to configure > them network access controls with cut-through proxy authentication.**** > > Their particular task was to authentication the traffic that is not part > of four well-known protocols (FTP, Telnet, HTTP and HTTPs) that would > trigger authentication in the classic situation.**** > > They need to authenticate RDP and SSH traffic through the ASA and I > followed this document published at Cisco support forum:**** > > https://supportforums.cisco.com/docs/DOC-14842**** > > **** > > My intention was to have users open their web browser, connect to the ASA > interface IP address via HTTPS, authenticate and voila, the RDP and SSH > traffic defined in the authentication ACL would be authenticated.**** > > **** > > I.e.**** > > access-list CTP_AUTH extended permit tcp any any eq https > access-list CTP_AUTH extended permit tcp any any eq 3389 > access-list CTP_AUTH extended permit tcp any any eq ssh **** > > **** > > aaa authentication match CTP_AUTH inside LOCAL**** > > aaa authentication listener https inside port 1111**** > > **** > > Then I go to https://192.168.1.200:1111 (where 192.168.1.200 is the ASA > inside IP address) to authentication against a local user database and it > doesn't work. The ASA rewrites the URL and says "File not found".**** > > I don't want to use virtual HTTP for the reasons described in the above > said document. Am I missing something? Is it really an approvement or just > a documentation defect misleading people ?**** > > **** > > Eugene**** > > **** > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > **** > > ** ** > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > ** ** > > ** ** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > ** ** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
