Академический Документы
Профессиональный Документы
Культура Документы
Cisco Public
User-Based (Cut-Through)
Proxy Overview
CHAPTER 10
Using Proxy Services to Control
Access
Cisco Public
Cisco Public
User Authentication
A user of your network attempts to access a resource that
requires authentication. The ASA provides a username/password
prompt. You configure exactly which re-sources you want to
trigger this authentication behavior.
This authentication process needs to occur only once per source
IP address for all the authentication rules that you configure on
the Cisco ASA. This is where the cut-through part of the name
originates. The credentials of the user are cached on the Cisco
ASA so that subsequent authentication requests do not have to
transpire. You can control the timeout behavior of this process.
Cisco Public
Cisco Public
Cut-through proxy
Remote-access VPNs
Cisco Public
Cisco Public
Cisco Public
HTTP Redirection
With the HTTP redirection method, the Cisco ASA actively
listens for HTTP requests on TCP port 80. When the Cisco ASA
detects such requests, it redirects internal users to a local web
page that is a form for the user to input their appropriate
credentials.
If the user is authenticated properly with these credentials, the
user is then directed to access the external web server.
If the external web server requires its own separate
authentication process and credentials, it can challenge the user
directly at that time.
Cisco Public
Cisco Public
10
Virtual HTTP
Using the virtual HTTP method, the users authenticate against
the Cisco ASA using an IP address of the virtual HTTP server
inside the Cisco ASA. No web page for credentials is required.
Once the user is authenticated, their credentials are not sent
further into the outside network in order to access the external
web server.
Notice that this method works well when you want to prohibit the
sending of credentials into an untrusted network.
Cisco Public
11
Cisco Public
12
Cisco Public
13
Configuration Steps of
User-Based Proxy
Cisco Public
14
Cisco Public
15
Cisco Public
16
Cisco Public
17
The absolute and inactivity timers associated with each authenticated user
Cisco Public
18
Cisco Public
19
Cisco Public
20
Cisco Public
21
Cisco Public
22
Cisco Public
23
Cisco Public
24
Cisco Public
25
Cisco Public
26
Cisco Public
27
Cisco Public
28
Absolute timeout value: Ignores activity and begins just after the user is
authenticated by the device. Obviously, the absolute timer should be set to a
longer duration than the inactivity timer.
Cisco Public
29
Cisco Public
30
Cisco Public
31
Cisco Public
32
Cisco Public
33