07-21-2010 07:59 AM - edited 03-10-2019 05:16 PM
Hi, I have a site where everybody on the inside interface has to be authenticated by a RADIUS Server. I have that part working but the problem is I've got a lot of AAA entries for exclude. What I want to accomplish (if possible) is to use access-list and object-group so that if I have a new host I need to exclude, I can just add that into my object-group statement instead of adding another aaa exclude line. Please look at my configuration below and any suggestion would be appreciated.
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 192.168.234.100 ********** timeout 5
max-failed-attempts 3
aaa authentication include tcp/0 inside 192.168.234.0 255.255.255.0 0 0 AuthInbound
aaa authentication include udp/0 inside 192.168.234.0 255.255.255.0 0 0 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 4.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 4.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 208.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 208.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude tcp/6260 inside 192.168.234.0 255.255.255.0 4.xxx.xxx.165 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 4.2.2.1 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 4.2.2.2 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 4.2.2.3 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 8.8.4.4 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 8.8.8.8 255.255.255.255 AuthInbound
aaa authentication exclude ftp inside 192.168.234.0 255.255.255.0 69.xxx.xxx.179 255.255.255.255 AuthInbound
aaa authentication exclude ftp inside 192.168.234.0 255.255.255.0 63.xxx.xxx.113 255.255.255.255 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 96.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 72.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 64.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 64.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude tcp/12975 inside 192.168.234.0 255.255.255.0 74.xxx.xxx.0 255.255.255.0 AuthInbound
aaa authentication exclude tcp/32976 inside 192.168.234.0 255.255.255.0 74.xxx.xxx.0 255.255.255.0 AuthInbound
and more ...
Thank you,
Russell
07-22-2010 03:42 PM
Russel,
Look at command "aaa authentication match" on the ASA. You can use an ACL for traffic that will be matched for cut-through proxy.
I hope it helps.
PK
07-26-2010 12:40 AM
Hi, I have a site where everybody on the inside interface has to be authenticated by a RADIUS Server. I have that part working but the problem is I've got a lot of AAA entries for exclude. What I want to accomplish (if possible) is to use access-list and object-group so that if I have a new host I need to exclude, I can just add that into my object-group statement instead of adding another aaa exclude line. Please look at my configuration below and any suggestion would be appreciated.
aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 192.168.234.100 ********** timeout 5
max-failed-attempts 3aaa authentication include tcp/0 inside 192.168.234.0 255.255.255.0 0 0 AuthInbound
aaa authentication include udp/0 inside 192.168.234.0 255.255.255.0 0 0 AuthInboundaaa authentication exclude http inside 192.168.234.0 255.255.255.0 4.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 4.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 208.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 208.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude tcp/6260 inside 192.168.234.0 255.255.255.0 4.xxx.xxx.165 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 4.2.2.1 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 4.2.2.2 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 4.2.2.3 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 8.8.4.4 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 8.8.8.8 255.255.255.255 AuthInbound
aaa authentication exclude ftp inside 192.168.234.0 255.255.255.0 69.xxx.xxx.179 255.255.255.255 AuthInbound
aaa authentication exclude ftp inside 192.168.234.0 255.255.255.0 63.xxx.xxx.113 255.255.255.255 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 96.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 72.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 64.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 64.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude tcp/12975 inside 192.168.234.0 255.255.255.0 74.xxx.xxx.0 255.255.255.0 AuthInbound
aaa authentication exclude tcp/32976 inside 192.168.234.0 255.255.255.0 74.xxx.xxx.0 255.255.255.0 AuthInbound
and more ...Thank you,
Russell
Hi Russell,
Check out the below link for outbound authentication using auth proxy.
http://www.ciscosystems.com.pe/application/pdf/paws/13886/auth3.pdf
Hope to Help !!
Ganesh.H
Remember to rate the helpful post
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: