- Posts: 438
- Thank you received: 9
Authenticate access to internet
14 years 6 months ago #34452
by Nevins
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
Replied by Nevins on topic Re: Authenticate access to internet
Well what authentication tool would do the same thing as port security with less work?
Useful Threads
================================
www.firewall.cx/forum/2-basic-concepts/3...e-resource-page.html
14 years 6 months ago #34456
by S0lo
I agree with FlipRich, the 16 concurrents limit is only for HTTPS. Instead, you can use HTTP authentication. If you do this, your internal users will be prompted for a user/password the first time they try to connect to the net using a web browser. Here is a minimal description of how it's done:
First you create the set of users you want on the ASA, say:
[code:1]username user1 password cisco1
username user2 password cisco2[/code:1]
Second, you configure AAA authentication using the LOCAL user database, like this:
[code:1]aaa authentication include http inside 0 0 0 0 LOCAL[/code:1]
Thats all you need, it should work (unless you have problems in NAT). Notice, that you can also configure a RADIUS/TACACS+ server to handle authentication instead of using the ASA's LOCAL user database.
Port security is obviously not helpful in your case.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Authenticate access to internet
Is it 16 concurrent user that login to the ASA? Actually we have about 6xx numbers of user at our office.
I agree with FlipRich, the 16 concurrents limit is only for HTTPS. Instead, you can use HTTP authentication. If you do this, your internal users will be prompted for a user/password the first time they try to connect to the net using a web browser. Here is a minimal description of how it's done:
First you create the set of users you want on the ASA, say:
[code:1]username user1 password cisco1
username user2 password cisco2[/code:1]
Second, you configure AAA authentication using the LOCAL user database, like this:
[code:1]aaa authentication include http inside 0 0 0 0 LOCAL[/code:1]
Thats all you need, it should work (unless you have problems in NAT). Notice, that you can also configure a RADIUS/TACACS+ server to handle authentication instead of using the ASA's LOCAL user database.
Port security is obviously not helpful in your case.
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
14 years 6 months ago #34459
by apit
Replied by apit on topic Re: Authenticate access to internet
16 concurrent for HTTPS ? If 17 users concurrently access to their gmail account, so it might be fail...is it?
My plan is to use existing database for username & password authentication instead of setting manually at ASA Firewall..
Currently we are using oracle database...For your info, the password is encrypted.. Can RADIUS server read the encrypted character from the existing database?
My plan is to use existing database for username & password authentication instead of setting manually at ASA Firewall..
Currently we are using oracle database...For your info, the password is encrypted.. Can RADIUS server read the encrypted character from the existing database?
14 years 6 months ago #34475
by S0lo
No, the 16 limit is for the HTTPS Authentication part only. Not the actual traffic that passes through after authentication. Once a user logs in successfully, he will be able to browse HTTP and HTTPS websites regardless of the 16 limit.
So if you configure HTTPS authentication, it will to be limited to 16 users, the 17th user will NOT be able to login. But if you configure HTTP authentication, the 16 limit does NOT apply, no matter what type of website the users browse after they athenticate, be it HTTP or HTTPS. Thats as far as I know.
I'm really not sure about that. The only thing I know is that Oracle DB can be configured to use a RADIUS server. This might help:
download.oracle.com/docs/cd/B10501_01/ne.../a96573/asoradus.htm
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: Authenticate access to internet
16 concurrent for HTTPS ? If 17 users concurrently access to their gmail account, so it might be fail...is it?
No, the 16 limit is for the HTTPS Authentication part only. Not the actual traffic that passes through after authentication. Once a user logs in successfully, he will be able to browse HTTP and HTTPS websites regardless of the 16 limit.
So if you configure HTTPS authentication, it will to be limited to 16 users, the 17th user will NOT be able to login. But if you configure HTTP authentication, the 16 limit does NOT apply, no matter what type of website the users browse after they athenticate, be it HTTP or HTTPS. Thats as far as I know.
My plan is to use existing database for username & password authentication instead of setting manually at ASA Firewall..
Currently we are using oracle database...For your info, the password is encrypted.. Can RADIUS server read the encrypted character from the existing database?
I'm really not sure about that. The only thing I know is that Oracle DB can be configured to use a RADIUS server. This might help:
download.oracle.com/docs/cd/B10501_01/ne.../a96573/asoradus.htm
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
14 years 6 months ago #34488
by Losh
~ Networking :- Just when u think its starting to make sense......... ~
____________________________________________
CCNA, CCNP, CCNA Security, JNCIA, APDS, CISA
Replied by Losh on topic Re: Authenticate access to internet
Are you currently using any syslog servers? because you can set up logging on the ASA firewall to log authentication messages to the syslog server.
Just a hint.
Just a hint.
~ Networking :- Just when u think its starting to make sense......... ~
____________________________________________
CCNA, CCNP, CCNA Security, JNCIA, APDS, CISA
Time to create page: 0.131 seconds