ENTERPRISE

Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 2) - Simple Cut-Through Proxy

2/20/2015 1:10:54 AM
Scenario 1: Simple Cut-Through Proxy (No Authorization)

Example 2 depicts the operation of Cut-Through Proxy for HTTP, according to the configuration in Example 1. Authorization is analyzed starting on Scenario 2.

Note

For the examples covered in this article “user1” and “user2”, respectively belonging to groups “GROUP1” and “GROUP2” on CS-ACS, are always the reference usernames.


Example 2. HTTP Connection Is Intercepted by Cut-Through Proxy
! HTTP to 172.16.200.200 is intercepted by Cut-Through Proxy (first prompt appears)
%ASA-6-302013: Built outbound TCP connection 26 for outside:172.16.200.200/80 (172.16.200.200/80) 
to dmz:172.21.21.101/1148 (172.21.21.101/1148)
%ASA-6-109001: Auth start for user '???' from 172.21.21.101/1148 to 172.16.200.200/80
!
! User enters credentials and ASA sends them to the RADIUS server (UDP/1812)

%ASA-6-302015: Built outbound UDP connection 27 for dmz:172.21.21.250/1812 (172.21.21.250/1812) 
to identity:172.16.201.2/1025 (172.16.201.2/1025)
%ASA-6-113004: AAA user authentication Successful : server =  172.21.21.250 : user =user1
%ASA-7-734003: DAP: User user1, Addr 172.21.21.101: Session Attribute aaa.radius["25"]["1"] = CACS:0/13e/ac10c902/4
%ASA-7-734003: DAP: User user1, Addr 172.21.21.101: Session Attribute aaa.cisco.grouppolicy = DfltGrpPolicy
%ASA-7-734003: DAP: User user1, Addr 172.21.21.101: Session Attribute aaa.cisco.username = user1
%ASA-6-734001: DAP: User user1, Addr 172.21.21.101, Connection Cut-Through-Proxy:
The following DAP records were selected for this connection: DfltAccessPolicy
%ASA-2-109011: Authen Session Start: user 'user1', sid 4
%ASA-6-109005: Authentication succeeded for user 'user1' from 172.21.21.101/1148 to 172.16.200.200/80 on interface dmz
! ASA starts RADIUS Accounting connection (UDP/1813)

%ASA-6-302015: Built outbound UDP connection 28 for dmz:172.21.21.250/1813 (172.21.21.250/1813) 
to identity:172.16.201.2/1026 (172.16.201.2/1026)
%ASA-6-113004: AAA user accounting Successful : server =  172.21.21.250 : user = user1
!
!Displaying the authenticated users

ASA1# show uauth
                        Current    Most Seen
Authenticated Users       1          1
Authen In Progress        0          1
user 'user1' at 172.21.21.101, authenticated
   absolute   timeout: 0:05:00
   inactivity timeout: 0:00:00

Figure 3 presents a sample RADIUS accounting record in CS-ACS. In this particular example, you can see in the “cisco-av-pair” column that both HTTP and HTTPS activities are registered.

Figure 3. Example of RADIUS Accounting Session on CS-ACS (Reports and Activity)
Other  
  •  Identity on Cisco Firewalls : Selecting the Authentication Protocol
    •
  •  Commercial Backup Utilities : Ease of Recovery, Robustness, Automation, Volume Verification
    •
  •  Commercial Backup Utilities : Ease of Administration, Security
    •
  •  Commercial Backup Utilities : Support of a Standard or Custom Backup Format
    •
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 4)
    •
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 4)
    •
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 3)
    •
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 2)
    •
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 1)
    •
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Limiting discovery with filters
    •
     
    Most View
    Microsoft SharePoint 2010 Web Applications : Presentation Layer Overview - Ribbon (part 1)
    The Cyber-athletic Revolution – E-sports’ Era (Part 1)
    Windows Server 2003 : Implementing Software Restriction Policies (part 4) - Implementing Software Restriction Policies - Creating a Path Rule, Designating File Types
    Sql Server 2012 : Hierarchical Data and the Relational Database - Populating the Hierarchy (part 1)
    Two Is Better Than One - WD My Cloud Mirror
    Programming ASP.NET 3.5 : Data Source-Based Data Binding (part 3) - List Controls
    Windows 8 : Configuring networking (part 5) - Managing network settings - Understanding the dual TCP/IP stack in Windows 8, Configuring name resolution
    Nikon Coolpix A – An Appealing Camera For Sharp Images (Part 2)
    Canon PowerShot SX240 HS - A Powerful Perfection
    LG Intuition Review - Skirts The Line Between Smartphone And Tablet (Part 2)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
    Top 10
    Review : Acer Aspire R13
    Review : Microsoft Lumia 535
    Review : Olympus OM-D E-M5 Mark II
    TomTom Runner + MultiSport Cardio
    Timex Ironman Run Trainer 2.0
    Suunto Ambit3 Peak Sapphire HR
    Polar M400
    Garmin Forerunner 920XT
    Sharepoint 2013 : Content Model and Managed Metadata - Publishing, Un-publishing, and Republishing
    Sharepoint 2013 : Content Model and Managed Metadata - Content Type Hubs