Cut-through proxy and vpn authentication, Figure 36-7 – Cisco ASA 5505 User Manual

Page 719

Advertising
background image

36-7

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 36 Configuring the Identity Firewall

Information About the Identity Firewall

Figure 36-7

WAN-based Deployment with Remote AD Agent and AD Servers

Cut-through Proxy and VPN Authentication

In an enterprise, some users log onto the network by using other authentication mechanisms, such as
authenticating with a web portal (cut-through proxy) or by using a VPN. For example, users with a
Machintosh and Linux client might log in a web portal (cut-through proxy) or by using a VPN.
Therefore, you must configure the Identity Firewall to allow these types of authentication in connection
with identity-based access policies.

Figure 36-8

shows a deployment to support a cut-through proxy authentication captive portal. Active

Directory servers and the AD Agent are installed on the main site LAN. However, the Identity Firewall
is configured to support authentication of clients that are not part of the Active Directory domain.

Figure 36-8

Deployment Supporting Cut-through Proxy Authentication

The ASA designates users logging in through a web portal (cut-through proxy) as belonging to the
Active Directory domain with which they authenticated.

The ASA designates users logging in through a VPN as belonging to the LOCAL domain unless the VPN
is authenticated by LDAP with Active Directory, then the Identity Firewall can associate the users with
their Active Directory domain.

The ASA reports users logging in through VPN authentication or a web portal (cut-through proxy) to the
AD Agent, which distributes the user information to all registered ASA devices. Specifically, the user
identity-IP address mappings of authenticated users are forwarded to all ASA contexts that contain the
input interface where packets are received and authenticated.

See

Configuring Cut-through Proxy Authentication, page 22

.

Enterprise Main Site

xxxxxx

ASA

AD Servers

mktg.sample.com

10.1.1.2

RADIUS

Client

Remote Site

Directory
Sync

AD

Agent

AD Agent

WMI

AD Servers

WAN

LDAP

Inside Enterprise

xxxxxx

ASA

AD Servers

AD Agent

mktg.sample.com

10.1.1.2

WMI

LD

AP

RADIU

S

AD

Agent

WAN / LAN

HTTP/HTTPS

Windows Clients
(Domain Members)

Non-domain Member
Clients

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals