I am having issues setting up cut-through proxy on an ASA 5510 running version 8.4 (2). All I'm trying to do is make it so user's have to log in to access external websites (both http and https), based on an Active Directory group called "InternetAccess". If a user is in that group, they can access the internet, if they aren't they are blocked. I've checked several links recommended in the support forums, but I can't seem to get this to work properly. Also, I'm using a Windows Server 2008R2 RADIUS server for authenticatiom, via the Windows Network Policy and Access Services.
So far, here is what I've tried. -Configured a RADIUS server group on the ASA. -Added the IP address to the radius server. -Tested Authentication via the Test button is ASDM and entered my Active Directory credentials. The test is successful. The Authorization test fails. -Configured the RADIUS server Connection Request Policy to allow the ASA as a client via friendly name. -Configured the RADIUS server Network Policy to allow the "InternetAccess" group.
On the ASA, typed the following commands: access-list myauth permit tcp internalIPrange netmask any eq 80 access-list myauth permit tcp internalIPrange netmask any eq 443 aaa authentication match myauth inside RADIUSSERVERNAME
After running these commands, HTTPS sites give an "invalid certificate error" and then the standard "Internet Explorer couldn't load this page" if you click through to ignore the certificate error. HTTP sites just go straight to the "Internet Explorer couldn't load this page" error. I'm never prompted for login information. Is there something else I'm missing? Should I be using the Cisco Active Directory agent at all? There's a lot of information on this topic and quite honestly I'm a bit lost when it comes to confguring this.
Nevermind, I've gotten this to work. I switched from RADIUS to TACACS+, and then followed the directions here: https://supportforums.cisco.com/docs/DOC-14695. I still had issues afterwards where the browser would say "Looking up INTERNALGATEWAY, then time out before loading the authentication prompt. I ended up adding an A record to our DNS server named INTERNALGATEWAY with the IP address of our internal network interface, and now I get the authentication prompt. Just wanted to post this here in case anyone else had this issue as well.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :