Re: OT:ASA Cut-Through Proxy

Hi,

Answers Inline

On 5/9/10, karim jamali <karim.jamali_at_gmail.com> wrote:
 Dear Experts,

 If you don't feel like reading the whole thing these are my questions:

1)What is the radius-common-pw command doing?
From the command reference:
To specify a common password to be used for all users who are
accessing this RADIUS authorization server through this security
appliance, use the radius-common-pw command in AAA-server host mode.

> The configuratoin I have looks like:
> aaa-server XYZ protocol raidus
> aaa-server XYZ (management) host 1.1.1.1
> key 1234
> radius-common-pw <>
> max-failed attempts and the 2 modes for re-activation (timed/depletion
> mode). I am not getting this. Suppose that one user tries to authenticate
> and exceed the number of failed attempts/
> does this mean that the server will be deactivated??

No, The user would be locked out

> 2)Is Cut-through Proxy Authorization only possible by Downloadable ACL?

Cut-Through Proxy Authorization can be implemented using Radius(using
downloadable access-lists) or Tacacs+ (using command Authorization
sets). Details below

With Radius, Downloadable access-lists are used, you can either;
1. Define a downloadable ACL on the ACS (under shared profile
components or on the cisco-av-pair) or
2. Reference an access-list on the ASA by placing the name on either
the cisco-av-pair attribute or the filter-id attribute.

I posted some information about this on my blog sometime ago:

http://amplebrain.blogspot.com/2009/12/asa-cut-through-proxy-part-2-radius.html

With Tacacs+, you perform cut-through authorizations using the command
authorization set. Its just like performing command authorization on
the IOS. The command authorization set is configured under shared
profile components.

> I am going through AAA and its various uses on an ASA. Let me summarize my
> findings as it will help me re-cap and will help you answer my questions.
>
> Authentication is used to check who is allowed to Access
> (Administration/Management of the ASA).
> Authorization: has to do with the privileges
> Accounting: Reporting
>
> The different "consoles" to access the ASA are:
> 1)Serial
> 2)Telnet/SSH (Note that Telnet is not allowed from the outside unless it
> comes through IPSec Tunnel)
> 3)ASDM/HTTP
>
> Authentication can be made either using the local database or an external
> one. For an external one,
> 1) We have to define the AAA Server Group and associate servers with it. In
> this configuration, what is the radius-common-pw command doing?
> The configuratoin I have looks like:
> aaa-server XYZ protocol radius
> aaa-server XYZ (management) host 1.1.1.1
> key 1234
> radius-common-pw <>
> max-failed attempts and the 2 modes for re-activation (timed/depletion
> mode). I am not getting this. Suppose that one user tries to authenticate
> and exceed the number of failed attempts/
> does this mean that the server will be de-activated??
>
> Cut-Through Proxy:is just a means by which the ASA authenticates your
> session before allowing it through (It just reminds me of Dynamic ACLs
> (Lock/Key)Principle

Cut-through proxy is a step ahead of Lock and key, more like
Auth-proxy on the IOS

> So I have a user and he tries to access a web server for instance through
> the ASA, which in turn intercepts the communication and asks the user for
> authentication. If he has got the right credentials then he is allowed to go
> through/if not sorry you just have to stay there and you are grounded!
> But can someone explain to me what does Cut-through Proxy Authorization
> mean? How will a user be authorized?Is it based on the Downloadable ACLs you
> get from the RADIUS server?
> .

Yes, the user is authorized using downloadable access-lists on the
radius server.

This link might be of help

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwaaa.html#wp1056570

> Thank You for Sharing Your Knowledge!
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Best Regards,
Tolulope.
Blogs and organic groups at http://www.ccie.net