Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA auth-proxy virtual service problem

Hi, all

I have setup a lab for aaa auth-proxy, ASA5510 version is 7.0, ACS 4.0; There are two problems as below:

1, after successful authentication by https via ASA's virtual services, the prompt page flash quickly, which even we didn't have time to see. The ASA5510's configuration is as following:

auth-prompt prompt -- Welcome to ABC company --

auth-prompt accept -- thanks, you can go ahead --

auth-prompt reject -- You are failed to be authenticated --

It seems there are no command to specify auth-prompt page's existing time at ASA5510.

Does anyone know whether it can be specified so that we can see the success page so that we know we succeed.

2, When http traffic were authenticated, ASA can challenge the prompt window, and I finished the authentication succesfully. But when I click another hyperlink which is http 8000 port, the ASA reply " Error: Must authenticate before using this service"

I want to know it is for 8000 port, or for http cache reauthentication.

Very thanks

1 REPLY
Silver

Re: ASA auth-proxy virtual service problem

With the configuration the way you have it, you will only require HTTPS to be authenticated.

Please refer to

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/fwaaa.htm#wp1046750

for details on the various possibilities for that type of configuration.

Essentially, you just need to add ssh to the authentication access-list

so that that type of traffic mandates an active authentication session.

This is assuming that an HTTPS server is listening on the TS server you

have inside. It is mandatory to have at least one of the following

service: telnet, ftp, http, https on that destination server. If you

have an HTTPS service on your TS server, just add the following to your

configuration:

access-list 170 extended permit tcp any any eq ssh

Another way to proceed would be to use a virtual telnet or http server

on the ASA. However, it mandates to use another ip address than is not

in use by the ASA interface or NAT pool.

250
Views
0
Helpful
1
Replies
CreatePlease login to create content