Date post: | 05-Oct-2015 |
Category: |
Documents |
Upload: | duong-chick |
View: | 229 times |
Download: | 0 times |
of 33
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
1/33
1 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
CHAPTER 10:
Using Proxy Services toControl Access
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
2/33
2 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
User-Based (Cut-Through)
Proxy Overview
CHAPTER 10Using Proxy Services to Control
Access
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
3/33
3 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
User-Based (Cut-Through) Proxy Overview
When a user attempts to transit your Cisco ASA and access a
resource, the ASA will check the users identity against a local orremote user database. This is the authentication aspect of the
process. Next, user-specific policies can be applied
(authorization). Finally, information about user-specific traffic canbe sent to a server set up to collect this information (accounting).
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
4/33
4 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
User Authentication
A user of your network attempts to access a resource that
requires authentication. The ASA provides a username/password
prompt. You configure exactly which re-sources you want to
trigger this authentication behavior.
This authentication process needs to occur only once per source
IP address for all the authentication rules that you configure on
the Cisco ASA. This is where the cut-through part of the name
originates. The credentials of the user are cached on the Cisco
ASA so that subsequent authentication requests do not have totranspire. You can control the timeout behavior of this process.
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
5/33
5 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
User Authentication (cont.)
Initial authentication can be triggered only by one of the following
protocols: HTTP, HTTPS, FTP, or TELNET.
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
6/33
6 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
AAA on the ASA
Authentication, authorization, and accounting (AAA) services areused for a variety of purposes on the Cisco ASA. The main three
are the following:
Administrative access
Cut-through proxy
Remote-access VPNs
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
7/337 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Direct HTTP Authentication
with the Cisco ASA
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
8/338 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Direct HTTP Authentication with the Cisco ASA
The Cisco ASA provides two solutions for direct HTTP
authentication:
HTTP redirection
Virtual HTTP
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
9/339 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
HTTP Redirection
With the HTTP redirection method, the Cisco ASA activelylistens for HTTP requests on TCP port 80. When the Cisco ASA
detects such requests, it redirects internal users to a local web
page that is a form for the user to input their appropriate
credentials.
If the user is authenticated properly with these credentials, theuser is then directed to access the external web server.
If the external web server requires its own separateauthentication process and credentials, it can challenge the userdirectly at that time.
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
10/3310 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
HTTP Redirection (cont.)
Note: There is an option to redirect the HTTPS sessions of users
to an internal web page served by HTTPS. The use of this
method is not recommended because it may result in certificate
warnings being sent to the end user. These warnings could be
interpreted as an attempted man-in-the-middle attack.
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
11/3311 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Virtual HTTP
Using the virtual HTTP method, the users authenticate againstthe Cisco ASA using an IP address of the virtual HTTP server
inside the Cisco ASA. No web page for credentials is required.
Once the user is authenticated, their credentials are not sent
further into the outside network in order to access the externalweb server.
Notice that this method works well when you want to prohibit thesending of credentials into an untrusted network.
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
12/3312 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Direct Telnet Authentication
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
13/3313 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Direct Telnet Authentication
In this case, internal users can be authenticated using the virtualTelnet feature. The user establishes a Telnet session to a virtual
Telnet IP address you assign on the Cisco ASA. At this point, the
user is challenged for a username and password that can be
presented against the AAA services.
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
14/3314 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuration Steps of
User-Based Proxy
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
15/3315 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuration Steps of User-Based Proxy
Step 1. Configure the Cisco ASA to communicate with one ormore external AAA servers or, alternatively, configure AAA on
the Cisco ASA itself.
Step 2. Configure the appropriate authentication rules on theASA.
Step 3. (Optional) Change the authentication prompts andtimeouts.
Step 4. (Optional) Configure authorization.
Step 5. (Optional) Configure the accounting rules.
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
16/3316 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuring User Authentication
Navigate to Configuration Firewall AAA Rules AddAdd Authentication Rule.
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
17/3317 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuring User Authentication (cont.)
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
18/3318 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Verifying User Authentication
Verifying user-based proxy on the Cisco ASA is easy. Just initiatetraffic of the appropriate type across the ASA and, when
prompted, enter valid username and password credentials. Once
you have done so, you can use the show uauth CLI command.
This command allows you to easily inspect the following:
Users currently authenticated by the Cisco ASA
The IP address of an authenticated user
The absolute and inactivity timers associated with each authenticated user
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
19/3319 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Verifying User Authentication (cont.)
Should you need to clear the cached authentication information,use the clear uauth command. Note that this command causes
users to reauthenticate, but it will not affect the current and
established sessions of the authenticated users.
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
20/3320 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Verifying User Authentication (cont.)
Another CLI command of value for verification is show aaa-server. This command enables you to display the following:
The server group
The protocol used
The IP address of the active server in the group
That status of the server
Statistics on authentication requests and responses
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
21/3321 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuring HTTP Redirection
Navigate to Configuration > Firewall > AAA Rulesand clickAdvancedin the AAA Rules pane.
This opens the AAA Rules Advanced Options dialog box. Click Add,
and then click the HTTPradio button.
The key to this configuration is to check the Redirect Network Users
for Authentication Requestscheck box.
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
22/3322 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuring HTTP Redirection (cont.)
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
23/3323 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuring HTTP Redirection (cont.)
You can accomplish these results at the command line with thefollowing statement:
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
24/3324 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuring the Virtual HTTP Server
You can accomplish these results at the command line with thefollowing statement:
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
25/3325 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuring Direct Telnet
You can accomplish these results at the command line with thefollowing statement:
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
26/3326 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuring Authentication Prompts andTimeouts
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
27/3327 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuring Authentication Prompts andTimeouts (cont.)
Navigate to Configuration Device Management
Users/AAA Authentication Prompt.
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
28/3328 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuring Authentication Prompts andTimeouts
You can also configure these custom prompts from the command
line with the following commands:
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
29/33
29 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuring Authentication Timeouts
Authentication timeouts are critical because they set the timelimits after which a user will be required to reauthenticate. Two
types of timeouts are used with cut-through proxy:
Inactivity timeout value: Controls timing out based on idle time (no user traffic
is being forwarded by the Cisco ASA).
Absolute timeout value: Ignores activity and begins just after the user isauthenticated by the device. Obviously, the absolute timer should be set to a
longer duration than the inactivity timer.
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
30/33
30 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuring Authentication Timeouts (cont.)
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
31/33
31 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuring User Authorization
The two user-based authorization methods possible with theCisco ASA are as follows:
Download per-user ACLs from a RADIUS AAA server during theauthentication process: This is the process that Cisco strongly recommends.
User authorization based on a TACACS+ AAA server
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
32/33
32 2013 Cisco Systems, Inc. All rights reserved. Cisco PublicDesign by H V Anh Tun
Configuring User Authorization (cont.)
An important aspect of the downloadable per-user ACLfeature is that it enables you to configure what is called per-
user override. The per-user override feature allows the
downloaded ACL to override an existing ACL on the
interface for the particular user. Cisco recommends that you
use this feature because it makes enacting specific policies
for specific users in the network easier.
Without per-user override, both the interface ACL and the
downloaded ACL are checked for permit statements for thepacket to pass. With the per-user override, the interface
ACL must still be configured to permit the authentication
trigger packet.
5/19/2018 Chapter 10 - Using Proxy Services to Control Access.pdf
33/33