Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
450
Views
0
Helpful
1
Replies

ASA auth-proxy virtual service problem

hetao1601
Level 1
Level 1

‎03-21-2008 02:43 AM - edited ‎03-10-2019 03:44 PM

Hi, all

I have setup a lab for aaa auth-proxy, ASA5510 version is 7.0, ACS 4.0; There are two problems as below:

1, after successful authentication by https via ASA's virtual services, the prompt page flash quickly, which even we didn't have time to see. The ASA5510's configuration is as following:

auth-prompt prompt -- Welcome to ABC company --

auth-prompt accept -- thanks, you can go ahead --

auth-prompt reject -- You are failed to be authenticated --

It seems there are no command to specify auth-prompt page's existing time at ASA5510.

Does anyone know whether it can be specified so that we can see the success page so that we know we succeed.

2, When http traffic were authenticated, ASA can challenge the prompt window, and I finished the authentication succesfully. But when I click another hyperlink which is http 8000 port, the ASA reply " Error: Must authenticate before using this service"

I want to know it is for 8000 port, or for http cache reauthentication.

Very thanks

Labels:
0 Helpful
1 Reply 1

ebreniz
Level 6
Level 6

‎03-27-2008 09:20 AM

With the configuration the way you have it, you will only require HTTPS to be authenticated.

Please refer to

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/fwaaa.htm#wp1046750

for details on the various possibilities for that type of configuration.

Essentially, you just need to add ssh to the authentication access-list

so that that type of traffic mandates an active authentication session.

This is assuming that an HTTPS server is listening on the TS server you

have inside. It is mandatory to have at least one of the following

service: telnet, ftp, http, https on that destination server. If you

have an HTTPS service on your TS server, just add the following to your

configuration:

access-list 170 extended permit tcp any any eq ssh

Another way to proceed would be to use a virtual telnet or http server

on the ASA. However, it mandates to use another ip address than is not

in use by the ASA interface or NAT pool.

0 Helpful
Customers Also Viewed These Support Documents