Simple IAS Authentication issue

Unanswered Question
Mar 28th, 2008

Hi all,

I configured Cisco ASA 5540 with Active Directory integrated IAS. Authentication for all tcp traffic is enabled in ASA by following command

aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 RADIUS-GROUP

I also configured dACL in IAS with AV-Pairs.

Whenever a user tries to connect to internet, a "HTTP Authentication" window pops up and asks for username password. I enter the username&password which is alreaddy logged in to domain, then everything works perfect. dACLs works too.

But the issue is that username&password pop-up. It supposed to pop-up when a client which is not joined to domain, or logged on locally not to domain. But it pops when the user is already logged with domain credidentals. I dont want to type it again when trying to browse for the first time.

Thanks for any comments

Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
husycisco Sat, 03/29/2008 - 12:31

Here are some update.

I disabled IAS and configured Cisco Secure ACS 4.2 trial. I did the necessary config change in ASA.

I tested an Active Directory account in CLI, authentication is successfull. Account also appears as dynamic in ACS Users, thats all fine.

But AGAIN! whenever I try to browse the net, I get that "HTTP Authentication" pop-up. If I enter the domain user credidentals, all works fine.

So I still have the same problem that I encountered above. Should I be using certificates? Any ideas, thoughts are much appreciated.

Regards

JORGE RODRIGUEZ Sun, 03/30/2008 - 12:47

Hi Huseyin, well this one is a tricky one.., at least I amd pushing this thread back to the begining of all AAA threads sort of to not let it lose momentum so that some expert can shed some light :-), I just loaded some docs to understand the implementation, I could be wrong but you have conducted two different implementations using two platforms IAS and cisco ACS and same outcome but this seems to nawrrow down a bit the issue more in ASA configuration side, I still need to read a bit more on asa authentication include exclude type of services requiering autentication and other optional parameters.

I think when a user is autenticated through the widows DOMAIN ASA is still responding as a http proxy, so I wander if by adding aaa autentication exclude http inside etc.. would make a difference, well maybe Im off on this one but let me re-read this several times, in the meantime perhaps someone may join the cause.

Here is the link Im using if anyone wants to join this thread to resolve this. http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/a1_72.html#wp1437563

husycisco Mon, 03/31/2008 - 06:55

Hi Jorge,

Thanks for sticking with me on this issue m8, much appreciated.

Here is a little background about what I am trying to achieve,

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc00e8c

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbe94a0

And they haven't got any response :)

But you know what, I think you pointed me to the obvious, that I didnt see. I always answer the askers that ASA is not a proxy itself, but without exxcluding http, I am configuring the device as a proxy!. This something which Websense can handle. I wish to see everything works fine tonight when I exclude http. I will keep you posted m8.

JORGE RODRIGUEZ Mon, 03/31/2008 - 18:22

Yeah.. I read the sencond thread..woow, you indeed have done some serious testing with acs, and what is left is this authentication pop-up thing, I would bet it must have to do with that asa statement and optional parameters for certain protocols.. let me know how it goes with the exclude..

Rgds

jorge

husycisco Tue, 04/01/2008 - 13:59

No cigar...

109023

Error Message %PIX-3-109023: User from src_IP_Adress/src_port to

dest_IP_Address/dest_port on interface outside must authenticate before using this

service.

Explanation This is a AAA message. Based on the configured policies, you need to be authenticated before you can use this service (port).

I exclueded http traffic, and got the above log in syslog when I try to RDP or somethn else

And here is the recommended action? Lol?

Recommended Action Have the user authenticate using Telnet, FTP or HTTP before attempting to use the above service (port).

Hunter Tue, 04/01/2008 - 14:43

Hi ... your aaa stmt essentially says authen all outbound conn's via the RADIUS-GROUP aaa servers. Check a few things ... 1: what does a show acl look like after you built the first outbound connection? What are the UAUTH timers set at? If you do a debug on aaa authen ... does the next connection want an authen because its new ports? I suspect that's the case ... check to see what the show acl looks like after the first connection has been logged off ... is the uauth entry still there ? Have you tried to do the second connection while the first one is stillup? What happens ... you can email me directly. ... TomH

husycisco Mon, 05/26/2008 - 21:54

Thanks everybody for your efforts, but this will stay as a mystery.

michelcaissie Wed, 06/04/2008 - 07:19

Hi , i haven't read all the links related to this post but here is a couple of hints , hope they can

help

>>But the issue is that username&password pop-up. It supposed to pop-up when a client which

>>is not joined to domain, or logged on locally not to domain. But it pops when the user is already logged

>>with domain credidentals. I dont want to type it again when trying to browse for the first time.

Make sure your browser is configure to pass the credentials;

IE6

Internet Options -Advanced -Security - Enable Integrated Windows Authentication

>>>aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 RADIUS-GROUP

"reference cisco: Although you can configure the security appliance to require authentication for network

access to any protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only.

A user must first authenticate with one of these services before the security appliance allows other traffic

requiring authentication. "

Here you have to make sure that your first request is either http,https,telnet or ftp to trigger the

authentication. If your DNS is outside your firewall , browsing www.google.com would not trigger

the authentication , since the first request would be a dns request to resolve www.google.com.

With no resolution , no following http request.

Actions

This Discussion