Cisco Systems ASA5515K9, ASA 5500 Configuring Cut-through Proxy Authentication

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter36 Configuring the Identity Firewall

Task Flow for Configuring the Identity Firewall

Configuring Cut-through Proxy Authentication

In an enterprise, some users log onto the network by using other authentication mechanisms, such as

authenticating with a web portal (cut-through proxy) or by using a VPN. For example, users with a

Machintosh and Linux client might log in a web portal (cut-through proxy) or by using a VPN.

Therefore, you must configure the Identity Firewall to allow these types of authentication in connection

with identity-based access policies.

The ASA designates users logging in through a web portal (cut-through proxy) as belonging to the

Active Directory domain with which they authenticated. The ASA designates users logging in through

a VPN as belonging to the LOCAL domain unless the VPN is authenticated by LDAP with Active

Directory, then the Identity Firewall can associate the users with their Active Directory domain. The

ASA reports users logging in through VPN authentication or a web portal (cut-through proxy) to the AD

Agent, which distributes the user information to all registered ASA devices.

Users can log in by using HTTP/HTTPS, FTP, Telnet, or SSH. When users log in with these

authentication methods, the following guidelines apply:

•For HTTP/HTTPS traffic, an authentication window appears for unauthenticated users.

•For Telnet and FTP traffic, users must log in through the cut-through proxy and again to Telnet and

•A user can specify an Active Directory domain while providing login credentials (in the format

domain\username). The ASA automatically selects the associated AAA server group for the

specified domain.

•If a user specifies an Active Directory domain while providing login credentials (in the format

domain\username), the ASA parses the domain and uses it to select an authentication server from

the AAA servers configured for the Identity Firewall. Only the username is passed to the AAA

Step5 hostname(config)# access-list access_list_name {deny

| permit} protocol [{user-group

[domain_name\\]user_group_name | user

{[domain_name\\]user_name | any | none} |

object-group-user object_group_user_name}] {any |

host sip | sip smask | interface name | object

src_object_name | object-group

network_object_group_name> [eq port | …]

{object-group-user dst_object_group_name | object

dst_object_name host dst_host_name | ip_address}

[object-group service_object_name | eq port | …]

hostname(config)# access-list identity-list1 permit

ip user SAMPLE\user1 any any

hostname(config)# access-list aclname extended

permit ip user-group SAMPLE\\group.marketing any any

hostname(config)# access-list aclname extended

permit ip object-group-user asausers any any

Creates an access control entry that controls access

using user identity or group identity.

You can specify [domain_nickname>\]user_name

and [domain_nickname>\]user_group_name

directly without specifying them in an object-group

See the access-list extended command in the Cisco

ASA 5500 Series Command Reference for a

complete description of the command syntax.

The keywords user-group any and user-group

none can be specified to support cut-through proxy

authentication. See Configuring Cut-through Proxy

Authentication, page22.

Step6 hostname(config)# access-group access-list global

hostname(config)# access-group aclname global

Applies a single set of global rules to all interfaces

with the single command.

Command Purpose

Contents