Chapter 10 - Using Proxy Services To Control Access PDF

CHAPTER 10:
Using Proxy Services to

Control Access
Design by H V Anh Tun
2013 Cisco Systems, Inc. All rights reserved.
Cisco Public
User-Based (Cut-Through)
Proxy Overview
CHAPTER 10
Using Proxy Services to Control
Access
Cisco Public
User-Based (Cut-Through) Proxy Overview

When a user attempts to transit your Cisco ASA and access a
resource, the ASA will check the users identity against a local or
remote user database. This is the authentication aspect of the
process. Next, user-specific policies can be applied
(authorization). Finally, information about user-specific traffic can
be sent to a server set up to collect this information (accounting).
Cisco Public
User Authentication
A user of your network attempts to access a resource that
requires authentication. The ASA provides a username/password
prompt. You configure exactly which re-sources you want to
trigger this authentication behavior.
This authentication process needs to occur only once per source
IP address for all the authentication rules that you configure on
the Cisco ASA. This is where the cut-through part of the name
originates. The credentials of the user are cached on the Cisco
ASA so that subsequent authentication requests do not have to
transpire. You can control the timeout behavior of this process.
Cisco Public
User Authentication (cont.)

Initial authentication can be triggered only by one of the following
protocols: HTTP, HTTPS, FTP, or TELNET.
Cisco Public
AAA on the ASA

Authentication, authorization, and accounting (AAA) services are
used for a variety of purposes on the Cisco ASA. The main three
are the following:
Administrative access
Cut-through proxy
Remote-access VPNs
Cisco Public
Direct HTTP Authentication

with the Cisco ASA
Cisco Public
Direct HTTP Authentication with the Cisco ASA

The Cisco ASA provides two solutions for direct HTTP
authentication:
HTTP redirection
Virtual HTTP
Cisco Public
HTTP Redirection
With the HTTP redirection method, the Cisco ASA actively
listens for HTTP requests on TCP port 80. When the Cisco ASA
detects such requests, it redirects internal users to a local web
page that is a form for the user to input their appropriate
credentials.
If the user is authenticated properly with these credentials, the
user is then directed to access the external web server.
If the external web server requires its own separate
authentication process and credentials, it can challenge the user
directly at that time.
Cisco Public
HTTP Redirection (cont.)
Note: There is an option to redirect the HTTPS sessions of users

to an internal web page served by HTTPS. The use of this
method is not recommended because it may result in certificate
warnings being sent to the end user. These warnings could be
interpreted as an attempted man-in-the-middle attack.
Cisco Public
10
Virtual HTTP
Using the virtual HTTP method, the users authenticate against
the Cisco ASA using an IP address of the virtual HTTP server
inside the Cisco ASA. No web page for credentials is required.
Once the user is authenticated, their credentials are not sent
further into the outside network in order to access the external
web server.
Notice that this method works well when you want to prohibit the
sending of credentials into an untrusted network.
Cisco Public
11
Direct Telnet Authentication
Cisco Public
12
Direct Telnet Authentication

In this case, internal users can be authenticated using the virtual
Telnet feature. The user establishes a Telnet session to a virtual
Telnet IP address you assign on the Cisco ASA. At this point, the
user is challenged for a username and password that can be
presented against the AAA services.
Cisco Public
13
Configuration Steps of
User-Based Proxy
Cisco Public
14
Configuration Steps of User-Based Proxy

Step 1. Configure the Cisco ASA to communicate with one or
more external AAA servers or, alternatively, configure AAA on
the Cisco ASA itself.
Step 2. Configure the appropriate authentication rules on the
ASA.
Step 3. (Optional) Change the authentication prompts and

timeouts.
Step 4. (Optional) Configure authorization.
Step 5. (Optional) Configure the accounting rules.
Cisco Public
15
Configuring User Authentication

Navigate to Configuration Firewall AAA Rules Add
Add Authentication Rule.
Cisco Public
16
Configuring User Authentication (cont.)
Cisco Public
17
Verifying User Authentication

Verifying user-based proxy on the Cisco ASA is easy. Just initiate
traffic of the appropriate type across the ASA and, when
prompted, enter valid username and password credentials. Once
you have done so, you can use the show uauth CLI command.
This command allows you to easily inspect the following:
Users currently authenticated by the Cisco ASA
The IP address of an authenticated user
The absolute and inactivity timers associated with each authenticated user
Cisco Public
18
Verifying User Authentication (cont.)

Should you need to clear the cached authentication information,
use the clear uauth command. Note that this command causes
users to reauthenticate, but it will not affect the current and
established sessions of the authenticated users.
Cisco Public
19
Verifying User Authentication (cont.)

Another CLI command of value for verification is show aaaserver. This command enables you to display the following:
The server group
The protocol used
The IP address of the active server in the group
That status of the server

Statistics on authentication requests and responses
Cisco Public
20
Configuring HTTP Redirection

Navigate to Configuration > Firewall > AAA Rules and click
Advanced in the AAA Rules pane.
This opens the AAA Rules Advanced Options dialog box. Click Add,
and then click the HTTP radio button.
The key to this configuration is to check the Redirect Network Users
for Authentication Requests check box.
Cisco Public
21
Configuring HTTP Redirection (cont.)
Cisco Public
22
Configuring HTTP Redirection (cont.)

You can accomplish these results at the command line with the
following statement:
Cisco Public
23
Configuring the Virtual HTTP Server

Cisco Public
24
Configuring Direct Telnet

Cisco Public
25
Configuring Authentication Prompts and

Timeouts
Cisco Public
26

Timeouts (cont.)
Navigate to Configuration Device Management
Users/AAA Authentication Prompt.
Cisco Public
27

Timeouts
You can also configure these custom prompts from the command
line with the following commands:
Cisco Public
28
Configuring Authentication Timeouts

Authentication timeouts are critical because they set the time
limits after which a user will be required to reauthenticate. Two
types of timeouts are used with cut-through proxy:
Inactivity timeout value: Controls timing out based on idle time (no user traffic
is being forwarded by the Cisco ASA).
Absolute timeout value: Ignores activity and begins just after the user is
authenticated by the device. Obviously, the absolute timer should be set to a
longer duration than the inactivity timer.
Cisco Public
29
Configuring Authentication Timeouts (cont.)
Cisco Public
30
Configuring User Authorization

The two user-based authorization methods possible with the
Cisco ASA are as follows:
Download per-user ACLs from a RADIUS AAA server during the
authentication process: This is the process that Cisco strongly recommends.
User authorization based on a TACACS+ AAA server
Cisco Public
31
Configuring User Authorization (cont.)

An important aspect of the downloadable per-user ACL
feature is that it enables you to configure what is called peruser override. The per-user override feature allows the
downloaded ACL to override an existing ACL on the
interface for the particular user. Cisco recommends that you
use this feature because it makes enacting specific policies
for specific users in the network easier.
Without per-user override, both the interface ACL and the

downloaded ACL are checked for permit statements for the
packet to pass. With the per-user override, the interface
ACL must still be configured to permit the authentication
trigger packet.
Cisco Public
32
Cisco Public
33

Chapter 10 - Using Proxy Services To Control Access PDF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Chapter 10 - Using Proxy Services To Control Access PDF

Hochgeladen von

Copyright:

Verfügbare Formate

CHAPTER 10:

Using Proxy Services to

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

User-Based (Cut-Through) Proxy Overview

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

User Authentication (cont.)

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

AAA on the ASA

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Direct HTTP Authentication

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Direct HTTP Authentication with the Cisco ASA

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

HTTP Redirection (cont.)

Note: There is an option to redirect the HTTPS sessions of users

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Direct Telnet Authentication

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Direct Telnet Authentication

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Configuration Steps of User-Based Proxy

Step 3. (Optional) Change the authentication prompts and

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Configuring User Authentication

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Configuring User Authentication (cont.)

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Verifying User Authentication

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Verifying User Authentication (cont.)

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Verifying User Authentication (cont.)

That status of the server

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.

Configuring HTTP Redirection

Design by H V Anh Tun

2013 Cisco Systems, Inc. All rights reserved.