Re: Authentication Proxy & Cut-through Proxy

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Sat Jun 21 2008 - 16:17:33 ART

• Next message: John: "BGP inject map"
• Previous message: Dinesh Patel: "Re: bridge to vlans"
• Maybe in reply to: Muhammad Nasim: "Authentication Proxy & Cut-through Proxy"
• Next in thread: austin okojie: "Re: Authentication Proxy & Cut-through Proxy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Tim

First of all good luck for your upcoming lab, it seems you are working
pretty hard :)

I really am not aware of the internal working of both technologies, the best
one can do is do a debug and see how things are pushed from the AAA down to
the NAS (or get a job with Cisco). The authentication proxy feature is kind
of clumsy that it requires priv-lvl 15. This creates some serious security
holes unless the implementor properly closes down the router via (http
access-class or aaa authorization exec). Otherwise this auth-proxy user can
have some real fun on the router. The PIX/ASA implementation seems to be
more secure and easier to implement.

You can find examples for both on the following links:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094eb0.shtml

Regards

Farrukh

On Sat, Jun 21, 2008 at 4:56 PM, Tim <ccie2be@nyc.rr.com> wrote:

> Farrukh,
>
> Do you know of a link (on the Doc CD) that explains that?
>
> I found an example that shows priv-lvl=15 being configured on the ACS but I
> have no idea why that works
>
> Or what's really going on between the AAA client and AAA server.
>
> For instance, why is the config on the ACS different for IOS vs PIX.
>
> Does that make any sense?
>
> (My lab date is this Friday and to the extent possible, I'd like to
> understand this instead of trying to memorize
>
> The config's.)
>
> Thanks for all your excellent contributions to GS.
>
> Tim
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Farrukh Haroon
> Sent: Saturday, June 21, 2008 8:00 AM
> To: Muhammad Nasim
> Cc: security@groupstudy.com; Cisco certification
> Subject: Re: Authentication Proxy & Cut-through Proxy
>
> "For routers I saw one post that it should be Privilege 15 and for ASA no
> need of privilege."
>
> Yes this is correct.
>
> Regards
>
> Farrukh
>
> On Sat, Jun 21, 2008 at 2:55 PM, Muhammad Nasim <muhammad.nasim@gmail.com>
> wrote:
>
> > For Atuthentication proxy on routers and Cut-Through Proxy on ASA. Do
> > we need to define the privilege levels under users on ACS.
> >
> > For routers I saw one post that it should be Privilege 15 and for ASA
> > no need of privilege.
> >
> > Can anyone explain me
> >
> > Thanks
> >
> > --
> > Muhammad Nasim
> > Network Engineer
> > Saudi Arabia
> >
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: John: "BGP inject map"
• Previous message: Dinesh Patel: "Re: bridge to vlans"
• Maybe in reply to: Muhammad Nasim: "Authentication Proxy & Cut-through Proxy"
• Next in thread: austin okojie: "Re: Authentication Proxy & Cut-through Proxy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:22 ART