Saturday, February 28, 2009

Cut-through Proxy using AAA

What is Cut-through Proxy?
Cut-through Proxy is an extremely fast way for the firewall to authenticate a user. A typical proxy server must analyze every packet at layer seven in real time, which produces a lot of process intensive overhead. The Pix will query a TACACS+ or RADIUS server for authentication. Once authenticated, the PIX establishes a data flow and all traffic thereafter flows directly between the two parties.


Configuring Cut-Through Proxy using AAA authentication
pix(config)#aaa-server AuthInbound protocol tacacs+
AuthInbound is just a unique server group name that will later be used for all inbound access.

pix(config)#aaa-server AuthInbound (inside) host 10.1.1.1
This command will allow hosts behind the inside interface to authenticate.

pix(config)#aaa-server AuthOutbound protocol tacacs+
AuthOutbound will be used for outbound access

pix(config)#aaa-server AuthOutbound (inside) host 10.1.1.2 TheUauthKey

pix(config)#aaa authentication include ftp outside 0 0 0 0 AuthOutbound
We are configuring authentication for all ftp access originating from the outside network. Authentication can only be applied to protocols that can be authenticated. SMTP, for example, would not work.

pix(config)#aaa authentication include ftp inside 0 0 0 0 AuthInbound
This configures authentication for any ftp access coming from the inside network.

pix(config)#aaa authentication include http inside 0 0 0 0 AuthInbound


pix(config)#aaa authorization include authen_service inside 0 0 0 0
This enablesauthorization.


pix(config0 # aaa authentication match ACL_AuthOutbound inside AuthOutbound
This specifies the acl that will include the hosts that will (permit) and will not (deny) require authentication.

Troubleshooting:
Show aaa-server - displays the aaa config.
Show aaa-server protocol -displays protocol specific info
Show aaa-server host - displays statistics for individual aaa servers. This will display server membership and protocol info, server status, last transaction info, # of requests, retransmits, accepts, rejects, and errors.

Debug - displays real time connection and authentication information.
Debug aaa - displays real time aaa server specific information
Debug aaa authentication – real time aaa authentication information

Posted by Jerome at 1:27 PM
Labels: , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)