AAA Authentication for Traffic Passing through ASA

rmeans · ‎01-16-2009

I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).

Am I missing something?

firewall# show run aaa

aaa authentication http console TACACS+ LOCAL

aaa authentication telnet console TACACS+ LOCAL

aaa authentication serial console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authentication match guestnetwork_access guestnetwork RADIUS

aaa authentication secure-http-client

firewall# show access-li guestnetwork_access

access-list guestnetwork_access; 2 elements

access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)

access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)

firewall# show run aaa-s

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.250.14

key xxxxx

firewall# show run http

http server enable

jens.becker · ‎01-16-2009

your definition for the aaa-server is different to the aaa authentication server-group

try

aaa authentication http console RADIUS LOCAL

aaa authentication telnet console RADIUS LOCAL

...

rmeans · ‎01-20-2009

I tried the change you suggested. Nothing changed. The problem continues.