Nice that you figured it out. It seems you're inquisitive enough to be a CCIE soon.
Regards, Piotr 2012/1/5 Eugene Pefti <[email protected]> > Yes, Piotr,**** > > This is the way to do it. I figured it out on my own just about an hour > ago. I was sending the HTTPS traffic through the ASA and it intercepted it > and redirected to its own rudimentary web page with the login form.**** > > And it rewrote the URL to be almost like you provided, namely it was > https://xxx.xxx.xxx.xxx:2222/netaccess/connstatus.html**** > > Technically there’s no difference between yours and the above said as it > still lands on the login page.**** > > My mistake was to use https://xxx.xxx.xxx.xxx:2222/**** > > It redirected me nowhere and I ended up with a rewritten URL like**** > > https://192.168.1.200/+CSCOE+/logon.html?a0=0&a1=&a2=&a3=1**** > > And “File not found” on the webpage**** > > ** ** > > Again, lessons learnt,**** > > **1) **don’t entirely trust whatever you read on Cisco documentation* > *** > > **2) **dig and dig and dig around**** > > **3) **ask nice and knowledgeable people at CCIE Security forum ;))** > ** > > ** ** > > Cheers,**** > > Eugene**** > > ** ** > > ** ** > > *From:* Piotr Matusiak [mailto:[email protected]] > *Sent:* 05 January 2012 13:09 > *To:* Eugene Pefti > *Cc:* Diego Cambronero; ccie security > > *Subject:* Re: [OSL | CCIE_Security] Cut-through proxy authentication > with HTTP redirection**** > > ** ** > > Eugene, > > Here's the config you're probably looking for: > > access-list CTP extended permit tcp any any eq 3389 > access-list CTP extended permit tcp any any eq 2222 > ! > aaa authentication match CTP inside LOCAL > aaa authentication listener https inside port 2222 redirect > > With this confing your users can connect directly to the ASA's Inside IP > address using the following url: > > https://10.1.1.10:2222/netaccess/loginuser.html > > Regards, > Piotr > > **** > > 2012/1/5 Eugene Pefti <[email protected]>**** > > Ok, we almost did it.**** > > Whatever new about CTP is published at different sources say the > technology is still the same – the PIX/ASA authentication kicks in whenever > there’s a through traffic.**** > > It would be a great feature to have a direct authentication without > “virtual HTTP” for two reasons:**** > > 1) It could be secure via HTTPs **** > > 2) No need for an additional IP address**** > > **** > > Eugene**** > > **** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Piotr Matusiak > *Sent:* 05 January 2012 09:00 > *To:* Diego Cambronero**** > > > *Cc:* ccie security > *Subject:* Re: [OSL | CCIE_Security] Cut-through proxy authentication > with HTTP redirection**** > > **** > > Nope, Virtual IP is a different IP address where ASA will listen on.**** > > 2012/1/5 Diego Cambronero <[email protected]>**** > > Correct me if I am wrong. Virtual http or telnet uses the ip address of > the ASA and the aaa listen uses conection through the ASA to authenticate* > *** > > > El 05/01/2012, a las 08:43 a.m., Piotr Matusiak <[email protected]> escribió: > **** > > Hi Kings, > > A said to Eugene that in this case direct auth will not work because ASA > thinks that this is ASDM connection. > enable logging and see the messages. > > Regards, > Piotr**** > > 2012/1/5 Kingsley Charles <[email protected]>**** > > Hi Piotr > > Has Direct authentication worked for you? I have tried pointing my browser > to the outside interface IP with both http port 8080 and https port 4443 > but doesn't work with the following configuration. > > aaa authentication listener http outside port 8080 redirect > aaa authentication listener https outside port 4443 redirect > > With regards > Kings**** > > **** > > On Thu, Jan 5, 2012 at 12:45 PM, Piotr Matusiak <[email protected]> wrote:*** > * > > OK, so it should also work without virtual IP but you must connect to > something behind the ASA. If you want to authenticate your users connecting > to the ASA you must use virtual IP. > > Regards, > Piotr**** > > ** ** > > 2012/1/5 Eugene Pefti <[email protected]>**** > > Thanks, Piotr,**** > > I thought that “virtual http” and “authentication listener” are two > different methods. And using “virtual http” requires an additional IP > address which is luxury in my case ;)**** > > **** > > Eugene**** > > **** > > *From:* Piotr Matusiak [mailto:[email protected]] > *Sent:* 04 January 2012 04:04 > *To:* Eugene Pefti > *Cc:* ccie security > *Subject:* Re: [OSL | CCIE_Security] Cut-through proxy authentication > with HTTP redirection**** > > **** > > Hi Eugene, > > The ASA tries to open up ASDM connection. > > To achieve what you want configure the following: > > virtual http 192.168.1.99 > aaa authentication listener https inside port 1111 redirect > > > Then you'll be able to connect to https://192.168.1.99 and be redirected > to port 1111 > > Regards, > Piotr**** > > 2012/1/4 Eugene Pefti <[email protected]>**** > > Hello everyone,**** > > I started the New year with my resolution to get back to CCIE studies > and immediately I was challenged by the client of us asking to configure > them network access controls with cut-through proxy authentication.**** > > Their particular task was to authentication the traffic that is not part > of four well-known protocols (FTP, Telnet, HTTP and HTTPs) that would > trigger authentication in the classic situation.**** > > They need to authenticate RDP and SSH traffic through the ASA and I > followed this document published at Cisco support forum:**** > > https://supportforums.cisco.com/docs/DOC-14842**** > > **** > > My intention was to have users open their web browser, connect to the ASA > interface IP address via HTTPS, authenticate and voila, the RDP and SSH > traffic defined in the authentication ACL would be authenticated.**** > > **** > > I.e.**** > > access-list CTP_AUTH extended permit tcp any any eq https > access-list CTP_AUTH extended permit tcp any any eq 3389 > access-list CTP_AUTH extended permit tcp any any eq ssh **** > > **** > > aaa authentication match CTP_AUTH inside LOCAL**** > > aaa authentication listener https inside port 1111**** > > **** > > Then I go to https://192.168.1.200:1111 (where 192.168.1.200 is the ASA > inside IP address) to authentication against a local user database and it > doesn't work. The ASA rewrites the URL and says "File not found".**** > > I don't want to use virtual HTTP for the reasons described in the above > said document. Am I missing something? Is it really an approvement or just > a documentation defect misleading people ?**** > > **** > > Eugene**** > > **** > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > **** > > **** > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > **** > > **** > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com**** > > **** > > ** ** >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
