Hi Mike I made a sigh of relief realizing that's it's not myself who thinks similar way. I've made numerous exercises and every time I hope that the question is more or less specific on how to do it. For me the main catch is that Virtual HTTP and Telnet require an additional IP address if connecting from inside and static NAT if connecting from outside. If the task doesn't provide any specifics about it then I'd do "aaa authentincation match ...." But if I do it the latter way do I have to originate the traffic to the host behind the ASA to prove it works or I need to configure CTP with "listener" option to authenticate directly on ASA? Thanks God if doing it with "listener" and "redirect" option you can generate HTTP traffic to the host behind the ASA and then it will intercept it and opens an authentication page for you.
For Auth-Proxy I think it works with conjunction with HTTP on the router (the prerequisite) and the only triggering ACL is "permit tcp any any eq 80". For me the main challenge is when the authorization is done via TACACS/RADIUS. I keep forgetting the right syntax to define attributes in ACS. Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Mike Rojas Sent: Saturday, June 09, 2012 6:22 PM To: [email protected] Subject: [OSL | CCIE_Security] CTP-Auth Proxy Tricky questions. Hello All, I have a mayor doubt in regards when you have to configure either CTP or Auth-Proxy. I've seen the question formulated 10 thousand times, but they all differ in the solution and on the methods to accomplish it. For example, when they ask you to do things like: 1-Make sure that the client authenticates before gathering access to the internal network (CTP) Now, I can use either Virtual HTTP, Virtual Telnet or Match command... which one do I use? On this same one, if using match command, I need to allow something in within the interesting traffic so CTP can catch it right? If so, which traffic any http? To specific one host? 2-Allow traffic after being authenticated to the Network x and y (Auth-Proxy) I've seen many exercises when they put an ACL on the interface denying all the traffic and just permitting one specific type of traffic in order to trigger the Auth-proxy, shall I use this approach or match the traffic they ask using a triggering acl? Thanks in advanced. Mike
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
