Hi All the basic operation of Cut Through Proxy on ASA revolves mostly around the 'aaa authentication match' command which identifies traffic that will require the user to be authenticated against the ASA before it is allowed to pass.
I have configured this as part of Yusuf's Lab2 but I could not meet one of the requirements to download an inactivity timeout setting of five minutes from the ACS server even though I had set this parameter correctly in the TACACS settings of the user's account. Now looking through the solution I see he has added two elemens which I did not: 1) the "aaa authorization match" command 2) a Shell Command Authorization set on the ACS server for the user account With a bit of playing I worked out that applying the "aaa authorization match" command on the ASA did allow the inactivity timer setting to the downloaded from the user account on ACS though with just this command the user could authenticate but was not authorized so could not telnet through the firewall as required. Adding a Shell Command Authorization set for the user defining the command "telnet" and the argument "permit 10.1.1.1" then got everything working as required. So my questions are: 1) Why won't the ASA download the inactivity timeout setting from the users TACACS account settings without the "aaa authorization match" command defined 2) Why does the ASA ask the ACS server for authorization of the telnet authentication connection through itself and work successfully when a Shell Command Authorization set it configured? I mean, the command isn't being run on the ASA, its being run on another network device trying to create a connection through the ASA but it seems the ASA is trying to authorise the telnet command as though it was being run locally hence the need for a Shell Command Authorisation set. Thanks Ben
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
