Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cut-through proxy configuration issue

I am having issues setting up cut-through proxy on an ASA 5510 running version 8.4 (2).  All I'm trying to do is make it so user's have to log in to access external websites (both http and https), based on an Active Directory group called "InternetAccess".  If a user is in that group, they can access the internet, if they aren't they are blocked.  I've checked several links recommended in the support forums, but I can't seem to get this to work properly.  Also, I'm using a Windows Server 2008R2 RADIUS server for authenticatiom, via the Windows Network Policy and Access Services. 

So far, here is what I've tried.
-Configured a RADIUS server group on the ASA.
-Added the IP address to the radius server.
-Tested Authentication via the Test button is ASDM and entered my Active Directory credentials.  The test is successful.  The Authorization test fails.
-Configured the RADIUS server Connection Request Policy to allow the ASA as a client via friendly name.
-Configured the RADIUS server Network Policy to allow the "InternetAccess" group.

On the ASA, typed the following commands:
access-list myauth permit tcp internalIPrange netmask any eq 80
access-list myauth permit tcp internalIPrange netmask any eq 443
aaa authentication match myauth inside RADIUSSERVERNAME

After running these commands, HTTPS sites give an "invalid certificate error" and then the standard "Internet Explorer couldn't load this page" if you click through to ignore the certificate error.  HTTP sites just go straight to the "Internet Explorer couldn't load this page" error.  I'm never prompted for login information.  Is there something else I'm missing?  Should I be using the Cisco Active Directory agent at all?  There's a lot of information on this topic and quite honestly I'm a bit lost when it comes to confguring this.

1 REPLY
New Member

Cut-through proxy configuration issue

Nevermind, I've gotten this to work.  I switched from RADIUS to TACACS+, and then followed the directions here: https://supportforums.cisco.com/docs/DOC-14695.  I still had issues afterwards where the browser would say "Looking up INTERNALGATEWAY, then time out before loading the authentication prompt.  I ended up adding an A record to our DNS server named INTERNALGATEWAY with the IP address of our internal network interface, and now I get the authentication prompt.  Just wanted to post this here in case anyone else had this issue as well.

991
Views
0
Helpful
1
Replies
CreatePlease to create content