ASA Authentication Proxy Notes
- By Joe Astorino
- February 10, 2012
- No Comments
These are just the notes I put together after researching and labbing basic ASA auth proxy over the last few days. Keep in mind, this does not include the authorization stuff / downloadable ACL stuff at this point. I will try to get a blog up demonstrating some of this soon
Default:
– Syntax: aaa authentication match <ACL> <interface> <Authentication Method>
– HTTP/HTTPS/Telnet/FTP traffic transiting the ASA can be used to authenticate the user.
– HTTP “basic” authentication for HTTP traffic transiting the ASA via popup box
– HTTPS authentication for traffic transiting the ASA via basic custom login screen
– HTTP credentials are passed directly through to the web server
– HTTPS credentials are not passed through to the web server and additional login may be required
Manual Direct Authentication:
– Syntax: aaa authentication listener <— No Redirect command
– HTTP/HTTPS/Telnet/FTP traffic transiting the ASA can be used to authenticate the user.
– Additionally allows direct authentication to the ASA at http[s]://interface_ip[:port]/netaccess/connstatus.html
– HTTP “basic” authentication for HTTP traffic transiting the ASA via popup box
– HTTPS authentication for traffic transiting the ASA via basic custom login screen
– HTTP credentials are passed directly through to the web server when using basic authentication
– HTTP credentials are not passed to the web server when using direct authentication
– HTTPS credentials are not passed through to the web server and additional login may be required
– Configured independently for HTTP and HTTPS
Redirection:
– Syntax: aaa authentication listener redirect
– HTTP/HTTPS/Telnet/FTP traffic transiting the ASA can be used to authenticate the user.
– Redirects all HTTP/HTTPS traffic passing through the ASA to an internal “fancy” authentication page on the ASA
– Credentials are not passed through
– Additionally allows manual direct authentication to the ASA at http[s]://interface_ip[:port]/netaccess/connstatus.html
– Configured independently for HTTP and HTTPS
Virtual IP:
– Syntax virtual [http|telnet]
– Authenticates traffic via HTTP or telnet directly on the ASA to a virtual IP address
– Does NOT pass credentials on to the destination web server
– Used when you do not wish to allow HTTP/HTTPS/telnet/FTP to transit the ASA but still want to authenticate traffic transiting the ASA
– Also can be used to authenticate protocols other than HTTP/HTTPS/telnet/FTP directly
aaa authentication secure-http-client
– This command secures the HTTP connection between the client and the ASA by redirecting HTTP to HTTPS
– Once authenticated, traffic is redirected to the original destination
Leave a Reply