I wish .... This is 2012 resolution ;)) From: Piotr Matusiak [mailto:[email protected]] Sent: 05 January 2012 13:52 To: Eugene Pefti Cc: Diego Cambronero; ccie security Subject: Re: [OSL | CCIE_Security] Cut-through proxy authentication with HTTP redirection
Nice that you figured it out. It seems you're inquisitive enough to be a CCIE soon. Regards, Piotr 2012/1/5 Eugene Pefti <[email protected]<mailto:[email protected]>> Yes, Piotr, This is the way to do it. I figured it out on my own just about an hour ago. I was sending the HTTPS traffic through the ASA and it intercepted it and redirected to its own rudimentary web page with the login form. And it rewrote the URL to be almost like you provided, namely it was https://xxx.xxx.xxx.xxx:2222/netaccess/connstatus.html Technically there's no difference between yours and the above said as it still lands on the login page. My mistake was to use https://xxx.xxx.xxx.xxx:2222/ It redirected me nowhere and I ended up with a rewritten URL like https://192.168.1.200/+CSCOE+/logon.html?a0=0&a1=&a2=&a3=1 And "File not found" on the webpage Again, lessons learnt, 1) don't entirely trust whatever you read on Cisco documentation 2) dig and dig and dig around 3) ask nice and knowledgeable people at CCIE Security forum ;)) Cheers, Eugene From: Piotr Matusiak [mailto:[email protected]<mailto:[email protected]>] Sent: 05 January 2012 13:09 To: Eugene Pefti Cc: Diego Cambronero; ccie security Subject: Re: [OSL | CCIE_Security] Cut-through proxy authentication with HTTP redirection Eugene, Here's the config you're probably looking for: access-list CTP extended permit tcp any any eq 3389 access-list CTP extended permit tcp any any eq 2222 ! aaa authentication match CTP inside LOCAL aaa authentication listener https inside port 2222 redirect With this confing your users can connect directly to the ASA's Inside IP address using the following url: https://10.1.1.10:2222/netaccess/loginuser.html Regards, Piotr 2012/1/5 Eugene Pefti <[email protected]<mailto:[email protected]>> Ok, we almost did it. Whatever new about CTP is published at different sources say the technology is still the same - the PIX/ASA authentication kicks in whenever there's a through traffic. It would be a great feature to have a direct authentication without "virtual HTTP" for two reasons: 1) It could be secure via HTTPs 2) No need for an additional IP address Eugene From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Piotr Matusiak Sent: 05 January 2012 09:00 To: Diego Cambronero Cc: ccie security Subject: Re: [OSL | CCIE_Security] Cut-through proxy authentication with HTTP redirection Nope, Virtual IP is a different IP address where ASA will listen on. 2012/1/5 Diego Cambronero <[email protected]<mailto:[email protected]>> Correct me if I am wrong. Virtual http or telnet uses the ip address of the ASA and the aaa listen uses conection through the ASA to authenticate El 05/01/2012, a las 08:43 a.m., Piotr Matusiak <[email protected]<mailto:[email protected]>> escribió: Hi Kings, A said to Eugene that in this case direct auth will not work because ASA thinks that this is ASDM connection. enable logging and see the messages. Regards, Piotr 2012/1/5 Kingsley Charles <[email protected]<mailto:[email protected]>> Hi Piotr Has Direct authentication worked for you? I have tried pointing my browser to the outside interface IP with both http port 8080 and https port 4443 but doesn't work with the following configuration. aaa authentication listener http outside port 8080 redirect aaa authentication listener https outside port 4443 redirect With regards Kings On Thu, Jan 5, 2012 at 12:45 PM, Piotr Matusiak <[email protected]<mailto:[email protected]>> wrote: OK, so it should also work without virtual IP but you must connect to something behind the ASA. If you want to authenticate your users connecting to the ASA you must use virtual IP. Regards, Piotr 2012/1/5 Eugene Pefti <[email protected]<mailto:[email protected]>> Thanks, Piotr, I thought that "virtual http" and "authentication listener" are two different methods. And using "virtual http" requires an additional IP address which is luxury in my case ;) Eugene From: Piotr Matusiak [mailto:[email protected]<mailto:[email protected]>] Sent: 04 January 2012 04:04 To: Eugene Pefti Cc: ccie security Subject: Re: [OSL | CCIE_Security] Cut-through proxy authentication with HTTP redirection Hi Eugene, The ASA tries to open up ASDM connection. To achieve what you want configure the following: virtual http 192.168.1.99 aaa authentication listener https inside port 1111 redirect Then you'll be able to connect to https://192.168.1.99 and be redirected to port 1111 Regards, Piotr 2012/1/4 Eugene Pefti <[email protected]<mailto:[email protected]>> Hello everyone, I started the New year with my resolution to get back to CCIE studies and immediately I was challenged by the client of us asking to configure them network access controls with cut-through proxy authentication. Their particular task was to authentication the traffic that is not part of four well-known protocols (FTP, Telnet, HTTP and HTTPs) that would trigger authentication in the classic situation. They need to authenticate RDP and SSH traffic through the ASA and I followed this document published at Cisco support forum: https://supportforums.cisco.com/docs/DOC-14842 My intention was to have users open their web browser, connect to the ASA interface IP address via HTTPS, authenticate and voila, the RDP and SSH traffic defined in the authentication ACL would be authenticated. I.e. access-list CTP_AUTH extended permit tcp any any eq https access-list CTP_AUTH extended permit tcp any any eq 3389 access-list CTP_AUTH extended permit tcp any any eq ssh aaa authentication match CTP_AUTH inside LOCAL aaa authentication listener https inside port 1111 Then I go to https://192.168.1.200:1111 (where 192.168.1.200 is the ASA inside IP address) to authentication against a local user database and it doesn't work. The ASA rewrites the URL and says "File not found". I don't want to use virtual HTTP for the reasons described in the above said document. Am I missing something? Is it really an approvement or just a documentation defect misleading people ? Eugene _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
