chapter 10 - using proxy services to control access.pdf

5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf

1/33

1 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun

CHAPTER 10:

Using Proxy Services toControl Access


2/33


User-Based (Cut-Through)

Proxy Overview

CHAPTER 10Using Proxy Services to Control

Access


3/33


User-Based (Cut-Through) Proxy Overview

When a user attempts to transit your Cisco ASA and access a

resource, the ASA will check the users identity against a local orremote user database. This is the authentication aspect of the

process. Next, user-specific policies can be applied

(authorization). Finally, information about user-specific traffic canbe sent to a server set up to collect this information (accounting).


4/33


User Authentication

A user of your network attempts to access a resource that

requires authentication. The ASA provides a username/password

prompt. You configure exactly which re-sources you want to

trigger this authentication behavior.

This authentication process needs to occur only once per source

IP address for all the authentication rules that you configure on

the Cisco ASA. This is where the cut-through part of the name

originates. The credentials of the user are cached on the Cisco

ASA so that subsequent authentication requests do not have totranspire. You can control the timeout behavior of this process.


5/33


User Authentication (cont.)

Initial authentication can be triggered only by one of the following

protocols: HTTP, HTTPS, FTP, or TELNET.


6/33


AAA on the ASA

Authentication, authorization, and accounting (AAA) services areused for a variety of purposes on the Cisco ASA. The main three

are the following:

Administrative access

Cut-through proxy

Remote-access VPNs


7/337 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun

Direct HTTP Authentication

with the Cisco ASA



Direct HTTP Authentication with the Cisco ASA

The Cisco ASA provides two solutions for direct HTTP

authentication:

HTTP redirection

Virtual HTTP



HTTP Redirection

With the HTTP redirection method, the Cisco ASA activelylistens for HTTP requests on TCP port 80. When the Cisco ASA

detects such requests, it redirects internal users to a local web

page that is a form for the user to input their appropriate

credentials.

If the user is authenticated properly with these credentials, theuser is then directed to access the external web server.

If the external web server requires its own separateauthentication process and credentials, it can challenge the userdirectly at that time.



HTTP Redirection (cont.)

Note: There is an option to redirect the HTTPS sessions of users

to an internal web page served by HTTPS. The use of this

method is not recommended because it may result in certificate

warnings being sent to the end user. These warnings could be

interpreted as an attempted man-in-the-middle attack.



Virtual HTTP

Using the virtual HTTP method, the users authenticate againstthe Cisco ASA using an IP address of the virtual HTTP server

inside the Cisco ASA. No web page for credentials is required.

Once the user is authenticated, their credentials are not sent

further into the outside network in order to access the externalweb server.

Notice that this method works well when you want to prohibit thesending of credentials into an untrusted network.



Direct Telnet Authentication



Direct Telnet Authentication

In this case, internal users can be authenticated using the virtualTelnet feature. The user establishes a Telnet session to a virtual

Telnet IP address you assign on the Cisco ASA. At this point, the

user is challenged for a username and password that can be

presented against the AAA services.



Configuration Steps of

User-Based Proxy



Configuration Steps of User-Based Proxy

Step 1. Configure the Cisco ASA to communicate with one ormore external AAA servers or, alternatively, configure AAA on

the Cisco ASA itself.

Step 2. Configure the appropriate authentication rules on theASA.

Step 3. (Optional) Change the authentication prompts andtimeouts.

Step 4. (Optional) Configure authorization.

Step 5. (Optional) Configure the accounting rules.



Configuring User Authentication

Navigate to Configuration Firewall AAA Rules AddAdd Authentication Rule.



Configuring User Authentication (cont.)



Verifying User Authentication

Verifying user-based proxy on the Cisco ASA is easy. Just initiatetraffic of the appropriate type across the ASA and, when

prompted, enter valid username and password credentials. Once

you have done so, you can use the show uauth CLI command.

This command allows you to easily inspect the following:

Users currently authenticated by the Cisco ASA

The IP address of an authenticated user

The absolute and inactivity timers associated with each authenticated user



Verifying User Authentication (cont.)

Should you need to clear the cached authentication information,use the clear uauth command. Note that this command causes

users to reauthenticate, but it will not affect the current and

established sessions of the authenticated users.



Verifying User Authentication (cont.)

Another CLI command of value for verification is show aaa-server. This command enables you to display the following:

The server group

The protocol used

The IP address of the active server in the group

That status of the server

Statistics on authentication requests and responses



Configuring HTTP Redirection

Navigate to Configuration > Firewall > AAA Rulesand clickAdvancedin the AAA Rules pane.

This opens the AAA Rules Advanced Options dialog box. Click Add,

and then click the HTTPradio button.

The key to this configuration is to check the Redirect Network Users

for Authentication Requestscheck box.



Configuring HTTP Redirection (cont.)



Configuring HTTP Redirection (cont.)

You can accomplish these results at the command line with thefollowing statement:



Configuring the Virtual HTTP Server




Configuring Direct Telnet




Configuring Authentication Prompts andTimeouts



Configuring Authentication Prompts andTimeouts (cont.)

Navigate to Configuration Device Management

Users/AAA Authentication Prompt.



Configuring Authentication Prompts andTimeouts

You can also configure these custom prompts from the command

line with the following commands:


29/33


Configuring Authentication Timeouts

Authentication timeouts are critical because they set the timelimits after which a user will be required to reauthenticate. Two

types of timeouts are used with cut-through proxy:

Inactivity timeout value: Controls timing out based on idle time (no user traffic

is being forwarded by the Cisco ASA).

Absolute timeout value: Ignores activity and begins just after the user isauthenticated by the device. Obviously, the absolute timer should be set to a

longer duration than the inactivity timer.


30/33


Configuring Authentication Timeouts (cont.)


31/33


Configuring User Authorization

The two user-based authorization methods possible with theCisco ASA are as follows:

Download per-user ACLs from a RADIUS AAA server during theauthentication process: This is the process that Cisco strongly recommends.

User authorization based on a TACACS+ AAA server


32/33


Configuring User Authorization (cont.)

An important aspect of the downloadable per-user ACLfeature is that it enables you to configure what is called per-

user override. The per-user override feature allows the

downloaded ACL to override an existing ACL on the

interface for the particular user. Cisco recommends that you

use this feature because it makes enacting specific policies

for specific users in the network easier.

Without per-user override, both the interface ACL and the

downloaded ACL are checked for permit statements for thepacket to pass. With the per-user override, the interface

ACL must still be configured to permit the authentication

trigger packet.


33/33

chapter 10 - using proxy services to control access.pdf

Documents

cisco publicdesign

cisco systems

cisco asadetects

cisco asa5192018 chapter

onthe cisco asa

asa authentication

h v anh tunuser authentication

h v anh tunaaa