Issue with Cut Through Proxy

saurav.khanna · ‎05-20-2015

Hello,

My setup is Internet-----Juniper F/W--------Cisco ASA

I have configured cut through proxy on ASA 5525X version 9.x. So, when a user tries to access a web server from internet he gets a prompt to enter his username and password. It works fine the issue that I have arises when a home user is coming from behind his router and he is using multiple devices.

For the first access user gets a prompt to enter username and password. Once he authenticates himself he lands on the web page. When another user tries to access the web site from the same location he does not get prompted to enter credentials and he can access the website immediately.

I guess that uauth is tied up with the source ip address only, is there anyway to change this behaviour??

Saurav

jan.nielsen · ‎05-21-2015

Yes, proxy authentication only uses the source address to allow the traffic once authenticated, this i believe can't be changed.

saurav.khanna · ‎05-25-2015

I guess this can't be changed. But imagine a scenario in which there are 100 people sitting behind a patting device. If on authenticates to a site via 2FA like in my case, then all rest 99 are allowed to go through....

jan.nielsen · ‎05-27-2015

Yup, but this is where you would use something like a web proxy device like an Ironport or Firepower for ASA, not an regular ASA firewall, the cut-through-proxy feature is old, and hasn't had any enhancement for many years.