Stop SPAM!!!

Information on how to stop SPAM

  • Home
  • Routers
  • Spam
  • Tech News
  • Contact

Cut Through Authentication on the ASA

July 27, 2017 By antispam Leave a Comment

Cut-Through Authentication proxy on the ASACut-Through Authentication proxy on the ASA is an excellent way to track and authorize users when they access resources on the network that you may not want them to access to originally. I have used it to track user activities, authorize users to different network devices from time to time that they really should not be accessing whenever they feel, and to provide a user a way to override the firewall policies that have been defined for a given subnet.

In other words, it is a very useful function and I believe it’s function is vital for users as well as the network administrator. Just so you know, this feature is just like the Auth-Proxy or Network Admission technologies on an IOS router.

Here is the topology we will be working with. I have setup a PC so we can simulate a typical user experience.

Guidelines

Any user on the 192.0.2.0/24 subnet (Inside) will have to authenticate through to the ASA when accessing the IOS Firewall Router.

This user authentication through the ASA will be of the most secure form.

The ASA will use local authentication for the users for the time being

Setup Cut-Through Proxy

So the first step would be to define IP addressing and initialize interfaces as well as routing. The HTTP services have been enabled on the IOS router as well as local authentication/authorization of users to this service. We will focus our efforts on the ASA for our cut through authentication.

So step one is going to make sure we have connectivity to the devices first. So let us make sure we can ping 198.18.0.2 from our PC (PC is 192.0.2.100 in my environment)

C:\ >ping 198.18.0.2
Pinging 198.18.0.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 198.18.0.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Ok, already not a good start. From the ASA I can ping the PC as well as the IOS router. The default gateway of each of these devices points to the ASA. Hmmm. Don’t forget about icmp inspection or allowing icmp echo-replies back through the firewall on the outside interface. Here we will inspect icmp.

ciscoasa(config)# fixup protocol icmp
INFO: converting ‘fixup protocol icmp ‘ to MPF commands
Ok, now lets try our ping again

C:\ >ping 198.18.0.2
Pinging 198.18.0.2 with 32 bytes of data:
Reply from 198.18.0.2: bytes=32 time<1ms TTL=63
Reply from 198.18.0.2: bytes=32 time<1ms TTL=63
Reply from 198.18.0.2: bytes=32 time<1ms TTL=63
Reply from 198.18.0.2: bytes=32 time<1ms TTL=63
Ping statistics for 198.18.0.2:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
oximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Ok, that looks better. The other test I like to do is access the http server on the IOS Router to make sure that we are able to get the default web page from the router so we know that this worked before we started our configuration. This will make it so there is one less thing to check if it doesn’t work. So let’s define an access-list to classify the interesting traffic for cut-through proxy:

ciscoasa(config)# access-list ctap permit ip any host 198.18.0.2
And let’s configure our local username and password as our guidelines say to use the local database:

ciscoasa(config)# username cisco password cisco
Now we will enable cut-through proxy with our interesting traffic and local database authentication :

ciscoasa(config)# aaa authentication match ctap inside LOCAL

So what should we see at this point is a web authentication box popup that is asking us for credentials. This is the cut through authentication service requesting user credentials before allowing the connection onto the IOS router. So we will enter our credentials of cisco/cisco.

Then click on “OK” for the web authentication and we should be allowed to the IOS Router now.

Let’s verify the user on the ASA

ciscoasa(config)# sh uauth
Current Most Seen
Authenticated Users 1 1
Authen In Progress 1 1
user ‘cisco’ at 192.0.2.100, authenticated
absolute timeout: 0:05:00
inactivity timeout: 0:00:00

With the ASA we have another option in which the user authentication experience occurs. Instead of the popup, we can have a webpage display the authentication prompt. It is a little more user friendly this way and is more like the auth-proxy http web page from an IOS router, only better. To do this we enter the following command.

ciscoasa(config)# aaa authentication listener http inside redirect
Using the above option, we could also redirect the authentication to another port if needed using the argument “port ‘#’” in the command shown above.

So in our guidelines we actually wanted the most secure mode of communications. Well, using http in this fashion is not secure at all. So we will want to change our configuration so that we request the user credentials using https.

To do this, we will install 2 commands.

ciscoasa(config)# aaa authentication listener https inside redirect
ciscoasa(config)# aaa authentication secure-http-client
Now depending on how the ASA is configured for PKI support, you will either come to a page with a certificate warning or you will go right the authentication page. This is now a secure login screen for the user.

This concludes our quick introduction into Cut-Through Authentication on the ASA. There are several more features than can become involved such as including an ACS server for authentication/authorization, virtual telnet/http, and even downloadable access-lists that can override an interface access-list.

Join me in feature posts where we will discuss these enhancements. I hope this is useful to you and thank you for visiting this post.

Filed Under: Routers

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Pages

  • Contact
  • Country Laws on Spam
  • Privacy
  • TOS

Site Secured

Shield Logo
This Site Is Protected By The
Shield →
Access Point vs Router

Access Point vs Router

Access Point Vs Router: Which One Should You Choose? The Internet has become such an Integral part of human society that most people can hardly function without it. It is great for research, entertainment, shopping and communication. It is the reason why each Internet user should strive to understand the different components that make Internet […]

history of spam

How SPAM Came To Be

You open your computer one fine morning and start checking your e-mail for new messages, hoping to get an update from the company you are applying for or a reply from a friend who lives in another country. You get excited when you see the alert that your inbox has tons of new messages but […]

ASUS-T100HA-C4-LB

Asus T100HA-C4-LB Review

The ASUS T100HA-C4-LB is a new upgraded version of the popular 2-in-1 T100TA tablet/laptop. This new model features Intel’s Atom x5-Z8500 CPU from the Cherry Trail series that increases performance by about 20% over the previous Bay Trail CPU. The 4 GB of RAM handles Windows 10 with ease while the docking station provides USB-C […]

Virtual LANS

Virtual LANS- From Basics Through Design

As the bandwidth demands on campus networks continue to grow and the cost of campus network devices continues to drop, many companies are looking towards switches and virtual LANs (VLANs) to upgrade their network infrastructure. Once the decision is made to move towards a switched network, network managers need not only to understand how VLANs […]

smart doorbell technology

How Doorbells Are Becoming More High Tech

Over the years, the simple doorbell has changed and is becoming increasingly high tech. There are many modern doorbells that integrate seamlessly into smart homes. If you are thinking of upgrading your doorbell, you will need to know how they have changed and how they are becoming more high tech. The Traditional Doorbell The traditional […]

What Is An Instagram Bot

What Is An Instagram Bot?

An Instagram bot is a powerful tool that, if used intelligently, can take your site to the top of the pile on Instagram faster than anything. In today’s fast moving internet world, millions of people make use of bot technology to help them automate and streamline many of the boring and difficult tasks of marketing […]

Purchasing a 3D Printer

Is Purchasing a 3D Printer A Wise Move?

Are you considering the prospect of purchasing a 3D printer? If you are it likely means that you are involved in an industry or activity which makes use of such a piece of equipment. Why are 3D printers so effective and should you invest in one? Let’s take a look at these questions in a […]

What Is A Time Clock App

What Is A Time Clock App?

If you are wondering what the time clock app is, it is one of the most productive applications that you can ever use. Of course, this is dependent on whether or not you are its intended user. So, exactly what does a time clock app do? It is the replacement of yesterday’s Bundy clock. If […]

vanity phone numbers

What Are Vanity Numbers And How Can You Get One?

Whether you are new to the business world or have been running your own company for some time, you may have come across the term ‘vanity numbers’ and wondered whether this system could be something that could be of benefit to you and your business needs. Let’s take a closer look at what vanity numbers […]

Disclaimer
Sitemap | Privacy Policy | TOS