OT:ASA Cut-Through Proxy from karim jamali on 2010-05-09 (Ccielab archives 05/2010)

From: karim jamali <karim.jamali_at_gmail.com>
Date: Sun, 9 May 2010 22:57:41 +0300

Dear Experts,

If you don't feel like reading the whole thing these are my questions:

1)What is the radius-common-pw command doing?
The configuratoin I have looks like:
aaa-server XYZ protocol raidus
aaa-server XYZ (management) host 1.1.1.1
key 1234
radius-common-pw <>
max-failed attempts and the 2 modes for re-activation (timed/depletion
mode). I am not getting this. Suppose that one user tries to authenticate
and exceed the number of failed attempts/
does this mean that the server will be deactivated??

2)Is Cut-through Proxy Authorization only possible by Downloadable ACL?

I am going through AAA and its various uses on an ASA. Let me summarize my
findings as it will help me re-cap and will help you answer my questions.

Authentication is used to check who is allowed to Access
(Administration/Management of the ASA).
Authorization: has to do with the privileges
Accounting: Reporting

The different "consoles" to access the ASA are:
1)Serial
2)Telnet/SSH (Note that Telnet is not allowed from the outside unless it
comes through IPSec Tunnel)
3)ASDM/HTTP

Authentication can be made either using the local database or an external
one. For an external one,
1) We have to define the AAA Server Group and associate servers with it. In
this configuration, what is the radius-common-pw command doing?
The configuratoin I have looks like:
aaa-server XYZ protocol radius
aaa-server XYZ (management) host 1.1.1.1
key 1234
radius-common-pw <>
max-failed attempts and the 2 modes for re-activation (timed/depletion
mode). I am not getting this. Suppose that one user tries to authenticate
and exceed the number of failed attempts/
does this mean that the server will be de-activated??

Cut-Through Proxy:is just a means by which the ASA authenticates your
session before allowing it through (It just reminds me of Dynamic ACLs
(Lock/Key)Principle)
So I have a user and he tries to access a web server for instance through
the ASA, which in turn intercepts the communication and asks the user for
authentication. If he has got the right credentials then he is allowed to go
through/if not sorry you just have to stay there and you are grounded!
But can someone explain to me what does Cut-through Proxy Authorization
mean? How will a user be authorized?Is it based on the Downloadable ACLs you
get from the RADIUS server?
.
Thank You for Sharing Your Knowledge!

-- 
KJ
Blogs and organic groups at http://www.ccie.net

Received on Sun May 09 2010 - 22:57:41 ART

This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:52 ART