Authentication for outbound Internet Traffic

rmanapat · ‎07-21-2010

Hi, I have a site where everybody on the inside interface has to be authenticated by a RADIUS Server. I have that part working but the problem is I've got a lot of AAA entries for exclude. What I want to accomplish (if possible) is to use access-list and object-group so that if I have a new host I need to exclude, I can just add that into my object-group statement instead of adding another aaa exclude line. Please look at my configuration below and any suggestion would be appreciated.

aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 192.168.234.100 ********** timeout 5
max-failed-attempts 3

aaa authentication include tcp/0 inside 192.168.234.0 255.255.255.0 0 0 AuthInbound
aaa authentication include udp/0 inside 192.168.234.0 255.255.255.0 0 0 AuthInbound

aaa authentication exclude http inside 192.168.234.0 255.255.255.0 4.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 4.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 208.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 208.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude tcp/6260 inside 192.168.234.0 255.255.255.0 4.xxx.xxx.165 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 4.2.2.1 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 4.2.2.2 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 4.2.2.3 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 8.8.4.4 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 8.8.8.8 255.255.255.255 AuthInbound
aaa authentication exclude ftp inside 192.168.234.0 255.255.255.0 69.xxx.xxx.179 255.255.255.255 AuthInbound
aaa authentication exclude ftp inside 192.168.234.0 255.255.255.0 63.xxx.xxx.113 255.255.255.255 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 96.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 72.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 64.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 64.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude tcp/12975 inside 192.168.234.0 255.255.255.0 74.xxx.xxx.0 255.255.255.0 AuthInbound
aaa authentication exclude tcp/32976 inside 192.168.234.0 255.255.255.0 74.xxx.xxx.0 255.255.255.0 AuthInbound
and more ...

Thank you,

Russell

Panos Kampanakis · ‎07-22-2010

Russel,

Look at command "aaa authentication match" on the ASA. You can use an ACL for traffic that will be matched for cut-through proxy.

I hope it helps.

PK

Ganesh Hariharan · ‎07-26-2010

Hi, I have a site where everybody on the inside interface has to be authenticated by a RADIUS Server. I have that part working but the problem is I've got a lot of AAA entries for exclude. What I want to accomplish (if possible) is to use access-list and object-group so that if I have a new host I need to exclude, I can just add that into my object-group statement instead of adding another aaa exclude line. Please look at my configuration below and any suggestion would be appreciated.

aaa-server AuthInbound protocol radius
aaa-server AuthInbound (inside) host 192.168.234.100 ********** timeout 5
max-failed-attempts 3

aaa authentication include tcp/0 inside 192.168.234.0 255.255.255.0 0 0 AuthInbound
aaa authentication include udp/0 inside 192.168.234.0 255.255.255.0 0 0 AuthInbound

aaa authentication exclude http inside 192.168.234.0 255.255.255.0 4.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 4.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 208.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 208.xxx.xxx.164 255.255.255.255 AuthInbound
aaa authentication exclude tcp/6260 inside 192.168.234.0 255.255.255.0 4.xxx.xxx.165 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 4.2.2.1 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 4.2.2.2 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 4.2.2.3 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 8.8.4.4 255.255.255.255 AuthInbound
aaa authentication exclude 53 inside 192.168.234.0 255.255.255.0 8.8.8.8 255.255.255.255 AuthInbound
aaa authentication exclude ftp inside 192.168.234.0 255.255.255.0 69.xxx.xxx.179 255.255.255.255 AuthInbound
aaa authentication exclude ftp inside 192.168.234.0 255.255.255.0 63.xxx.xxx.113 255.255.255.255 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 96.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude http inside 192.168.234.0 255.255.255.0 72.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 64.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude https inside 192.168.234.0 255.255.255.0 64.xxx.xxx.0 255.255.0.0 AuthInbound
aaa authentication exclude tcp/12975 inside 192.168.234.0 255.255.255.0 74.xxx.xxx.0 255.255.255.0 AuthInbound
aaa authentication exclude tcp/32976 inside 192.168.234.0 255.255.255.0 74.xxx.xxx.0 255.255.255.0 AuthInbound
and more ...

Thank you,

Russell

Hi Russell,

Check out the below link for outbound authentication using auth proxy.

http://www.ciscosystems.com.pe/application/pdf/paws/13886/auth3.pdf

Hope to Help !!

Ganesh.H

Remember to rate the helpful post