Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1226
Views
0
Helpful
1
Replies

Cut-through proxy configuration issue

DevinHill
Level 1
Level 1

‎03-07-2012 01:11 PM - edited ‎03-10-2019 06:53 PM

I am having issues setting up cut-through proxy on an ASA 5510 running version 8.4 (2).  All I'm trying to do is make it so user's have to log in to access external websites (both http and https), based on an Active Directory group called "InternetAccess".  If a user is in that group, they can access the internet, if they aren't they are blocked.  I've checked several links recommended in the support forums, but I can't seem to get this to work properly.  Also, I'm using a Windows Server 2008R2 RADIUS server for authenticatiom, via the Windows Network Policy and Access Services. 

So far, here is what I've tried.
-Configured a RADIUS server group on the ASA.
-Added the IP address to the radius server.
-Tested Authentication via the Test button is ASDM and entered my Active Directory credentials.  The test is successful.  The Authorization test fails.
-Configured the RADIUS server Connection Request Policy to allow the ASA as a client via friendly name.
-Configured the RADIUS server Network Policy to allow the "InternetAccess" group.

On the ASA, typed the following commands:
access-list myauth permit tcp internalIPrange netmask any eq 80
access-list myauth permit tcp internalIPrange netmask any eq 443
aaa authentication match myauth inside RADIUSSERVERNAME

After running these commands, HTTPS sites give an "invalid certificate error" and then the standard "Internet Explorer couldn't load this page" if you click through to ignore the certificate error.  HTTP sites just go straight to the "Internet Explorer couldn't load this page" error.  I'm never prompted for login information.  Is there something else I'm missing?  Should I be using the Cisco Active Directory agent at all?  There's a lot of information on this topic and quite honestly I'm a bit lost when it comes to confguring this.

Labels:
0 Helpful
1 Reply 1

DevinHill
Level 1
Level 1

‎03-14-2012 08:56 AM

Nevermind, I've gotten this to work.  I switched from RADIUS to TACACS+, and then followed the directions here: https://supportforums.cisco.com/docs/DOC-14695.  I still had issues afterwards where the browser would say "Looking up INTERNALGATEWAY, then time out before loading the authentication prompt.  I ended up adding an A record to our DNS server named INTERNALGATEWAY with the IP address of our internal network interface, and now I get the authentication prompt.  Just wanted to post this here in case anyone else had this issue as well.

0 Helpful
Customers Also Viewed These Support Documents