ASA auth-proxy virtual service problem

Unanswered Question
Mar 21st, 2008
User Badges:

Hi, all

I have setup a lab for aaa auth-proxy, ASA5510 version is 7.0, ACS 4.0; There are two problems as below:


1, after successful authentication by https via ASA's virtual services, the prompt page flash quickly, which even we didn't have time to see. The ASA5510's configuration is as following:


auth-prompt prompt -- Welcome to ABC company --

auth-prompt accept -- thanks, you can go ahead --

auth-prompt reject -- You are failed to be authenticated --


It seems there are no command to specify auth-prompt page's existing time at ASA5510.


Does anyone know whether it can be specified so that we can see the success page so that we know we succeed.


2, When http traffic were authenticated, ASA can challenge the prompt window, and I finished the authentication succesfully. But when I click another hyperlink which is http 8000 port, the ASA reply " Error: Must authenticate before using this service"

I want to know it is for 8000 port, or for http cache reauthentication.


Very thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ebreniz Thu, 03/27/2008 - 09:20
User Badges:
  • Silver, 250 points or more

With the configuration the way you have it, you will only require HTTPS to be authenticated.

Please refer to


http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/fwaaa.htm#wp1046750

for details on the various possibilities for that type of configuration.


Essentially, you just need to add ssh to the authentication access-list

so that that type of traffic mandates an active authentication session.

This is assuming that an HTTPS server is listening on the TS server you

have inside. It is mandatory to have at least one of the following

service: telnet, ftp, http, https on that destination server. If you

have an HTTPS service on your TS server, just add the following to your

configuration:

access-list 170 extended permit tcp any any eq ssh


Another way to proceed would be to use a virtual telnet or http server

on the ASA. However, it mandates to use another ip address than is not

in use by the ASA interface or NAT pool.



Actions

This Discussion