I'm planning to migrate a customer from ACS 4.2 to ACS 5.3.
I have migrated the configuration for all the services but I'm thinking how to configure ASA 8.4 cut-through proxy service in TACACS+.
The same ASA uses TACACS+ for device mngt and RADIUS for vpn remote-access services.
We are running with Cisco ACS v4.0 AAA server, Here I need the use of Proxy distribution table.
View 5 Replies View RelatedI would like to configure limited internet access to olnly a select group of Windows AD users.
I beleive cut-through proxy will allow me to do this, just not sure how to configure it on a Cisco ASA-5510
I have successfully set up a 5505 as a cut-through proxy so that wireless users are required to log in when they open a browser to access the Internet. Is there a way to take them to the original page they requested after the login is complete, rather than having it sit at the screen where it is says they are logged in?
View 1 Replies View Relatedi would like to use the ACS 5.3 as TACACS Proxy. Basically it works. But when checking the logs on the destination TACACS Server (ACS 4.2) i see that all requests (Source-NAs) came from the IP of the TACACS-Proxy. Not from the original source IP.
This is useless for my scenario, because on the destination TACACS Server the policies are built on the NetworkDevices Groups and AAA Clients = source IPs.
We have a pair of ACS 4.1 servers (Windows Server 2003 R2). Let's call them ACS1 and ACS2. We don't want either one of them to proxy to any AAA server, including each other. We're using mostly TACACS authentication.
While troubleshooting a general problem, I'm guessing that one of us did this on ACS1:
pressed the Network Configuration button,saw the Proxy Distribution Tableclicked (Default)moved ACS1 from the AAA Servers column to the Forward To column.
So, essentially, we're telling ACS1 to proxy all requests to itself, which doesn't seem to make sense. I don't know for sure whether it should work when configured to "self proxy," but in that state, it does not authenticate anyone and gives merely "Internal error" as the reason.
If I change the configuration so that "ACS2" appears in the Forward To column, and I move "ACS1" back to AAA Servers and restart, ACS1 starts responding correctly to TACACS requests. Of course, ACS1 is just proxying all requests to ACS2, so having two servers isn't doing much good.
I cannot simply remove ACS1 from the Forward To column and leave it empty. The interface complains that it can't forward to zero servers. Of course, on ACS2, there are no servers in the Forward To column, since we never touched the Proxy Distribution Table there.
Is there any way to return the Proxy Distribution Table to its default setup, that is, no servers appear in the "Forward To" column?
We're planning to upgrade to version 4.2 very soon, so this question is mostly academic, unless the same problem exists in 4.2.
For full disclosure, I should mention that the problem we were troubleshooting was loss of connectivity to our Windows Domain Controllers from our ACS servers. We had missed adding some exceptions in our firewalls to allow for four new DCs. As far as we can tell from testing, connectivity to the DCs is now fine. The firewall rules group ACS1 and ACS2 together, so connectivity should be the same, and ACS2 authenticates users correctly.
We are currently using Cisco ACS 5.3.0.40.2. One of the Services Selection Policy it hosts is:
Receive Authentication request from a wireless controller for a wireless userIf the wireless user's username contains a particular domain suffix, the request is proxied to an external proxy server using an External Proxy service (configured for both local/remote accounting)On receiving an Acccess-Accept from the external proxy, the user is given access and ACS 5 will start logging account packets for the username (nothing appears in the RADIUS authentication logs - ACS 5 it seems doesn't log proxied authentication requests) The above setup works fine in most instances. We start to have problems when an external proxy server strips the domain suffix off the username in the Access-Accept packet e.g.
ACS 5 proxies an Access-Request to an external proxy server (with Username = someuser@somwhere.com)The external proxy replies with an Access-Accept (with Username = someuser)The user 'someuser' is given access but subsequent accounting attempts fail because their username (without the domain suffix) doesn't match the Service Selection PolicyIs there any way to get ACS 5.3 to log proxied authentication requests? If not, can I configure ACS 5.3 to use the username in the Access-Request packet (rather than the username in the Access-Accept packet) for accounting?
I would like to connect devices to my network so that their traffic passes through a proxy running on my computer. I figured the best way to do this is by setting the proxy on my router to the one I am running, but then I would need to have another connection to the computer running the proxy or else there would be an infinite loop ?? something like that. so:
Internet -> router (1) -> my proxy on comp A -> router (2) -> computer B
I access the internet from my company�s LAN, which has a restrictive firewall, so I cannot request the admin to open any ports manually for me. Hence I use a software called your-freedom. This proxy software supports both http as well as socks 4 and 5 proxy (by entering the proxy IP 127.0.0.1 (localhost) and Port 8080 for http proxy OR 1080 for Socks Proxy), and I have successfully been using web browsers and some other softwares that support proxy/ allow proxy info to be entered to login/ connect to the internet. Your-Freedom also supports port forwarding.However, the softwares I intend to use do not have any options to enter proxy methods or proxy ports (as far as I have noticed). I have tried to proxify these 2 softwares using softwares such as SocksCap and Free Cap, but either they don�t work, or my settings in proxifying are not correct. I believe I will have to do port forwarding or proxify the softwares, but have been unable to do so in the correct manner.
Following is the info on the 2 softwares:
1.NOW Trading terminal:[FONT=Times New Roman]Normally when I start the NOW or Zerodha software, the software starts and I get a login screen, but under firewall conditions, I get the initial Splash screen but then the software stops with the error: [b][u]NOW Initialisation failed for Interactive Engine << os error>>.
2.PowerIndia Bulls:The software is written in Java and starts with a batch file (PowerIndiabulls.bat) located in C:UsersDEFAULT_USERNAMEAppD..... I converted this batch file to .exe (with battoexe software) and then ran it through a proxifying software. The .exe start properly without proxifying software but not under proxifying environment. Basically the software needs to connect to the internet using Port 443. I am also expected to keep ports 443, 41599 and 59598 open. software's requirement is available at Indiabulls Securities: Indiabulls Securities is a leading capital market company offering securities broking and advisory services, depository services, equity research services to its clients in India. (item no. 5).To confirm, while the software is unable to connect through port 443, you will get an error message: "Connection to Login Server could not be established" when you try to login with any random Username and Password.To know that the software is able to connect properly, you will get an error: "This User ID is not enabled to be used with this product".
Anyone know the differnce between these two on a MLS? Seems that proxy arp as I know it works with or without the 'local' version.
View 7 Replies View Relatedi am currently using the college internet, but due to restrictions utorrent is somehow blocked we use a proxy ip and port to use the neti've tried "tor" but it too is blocked now i am unable to use torrentspls suggest any other effective proxy softwares
View 1 Replies View RelatedI have recently been having a very annoying problem with my internet connection. I am not able to connect to some websites: the sites that are unavailable can not be accessed on any device connected to my home network (wireless or plugged directly into the router). I know that the problem does not lie with the sites themselves, since they are working for other people, and I know the sites are not blocking my IP, because when I reset the router, the problem sites become accessible but other sites become inaccessible (on all devices). The problem isn't the router either: I've tried two, and the same problem has arisen with both. Moreover, I have established that the problem does not lie with DNS resolution. I have repeatedly flushed the DNS cache; DNS lookups work fine on the problem sites, but when I ping the given IP addresses I am getting some packet loss (not necessarily 100% loss). When I use a proxy, I can access the sites without any problem.
View 12 Replies View Relatedmy internet connection has dynamic IP. So when I download some file from file sharing site, and if my internet connection breaks, my download can't resume from where it had stopped since my IP adress is changed.But if I stop the download manually (without breaking internet connection), as the IP address remains same, I can resume the download from that point. I mean can I use a proxy server so that everytime the download resumes, it reports a constant (static) IP to the website?
View 6 Replies View RelatedI have a Dell Inspiron E1505, I am currently in France and trying to connect it the University's proxy server, and I have followed ALL instructions provided by the university as to how to go about doing this. Each time I enter the proxy address and everything and it doesn't pop up an error message or anything like that, it simply doesn't connect to the internet or give the opportunity to input my password and username.
View 1 Replies View Relatedhow can I config Auth-proxy In ACS 4.0 in ACS 3.3 we can Add this in the Interface , but I can't see any thing for Add Auth-proxy in This menu
View 2 Replies View RelatedAt the moment we have all our users going through a Proxy Server, Microsoft ISA but I want to know whether I could scrap this and utilise the ASA.
Would it be possible to create a Network Object with an IP range (Domain Users) and then have a list assigned to this of any Websites not permitted?
i can't access yahoo without proxy.
View 1 Replies View Relatedhow to trace IP when proxy is used.someone I know is playing a prank that might cause my marriage to break.That person uses proxy with many different IP and also a loopback. does anyone know how to trace the IP even with the above is used.
View 2 Replies View RelatedI have an issue here, I need to connect to various anonymus proxy servers, the ip's of which can be freely found on the web. I've tried doing this from a broadband connected computer and it's ok, but the thing is that when I try doing this from a computer that is tied to o router, it doesn't work at all.
View 3 Replies View RelatedCurrently working on Proxy Authentication on a catalyst 3750GCisco's documentation says that I can customize my own web pages for the login, success, failure, and expire web pages. However, I am having a difficult time finding a template to build upon.
View 8 Replies View Relatedmy work is done,... and i dont know what i have to do...so i open the control panel > administrative tools and see all the content...click the service and see all the content and etc...nah,.... suddenly my Yahoo messanger disconnected...
i dont know why...i try to relog and can't connect...commonly, when i want to connect to the internet, the password for proxy windows is appear..but know it doesnt appear...
I have some problem to get working ACLs.The main purpose of this ACLs is to control what is going out from my network to internet .For example, i want that only my proxy can access to the web.
View 19 Replies View RelatedHow would I set up my own anonymous proxy server with my own ip address without having to go on a proxy list site? I don't care how complicated or time consuming it may be, I'm a very fast learner and I do things extremely quickly.
View 3 Replies View RelatedI cant seem to run a proxy in google chrome when i try and run my ip hider program the internet just gets error?
View 1 Replies View Relatedhow to connect proxy to my youtube.
View 1 Replies View RelatedI have a server having windows server2003 os. I have configured my web application on this server which is accessible over internet using static ip. But I found that there is an risk of viruses on my server. Thats why now I want to configure this server behind the firewall/Proxy as well as dont want to share my static IP.Is there any way to keep server protected using firewall / Proxy application which is free. And also tell me how to nat the static ip.
View 4 Replies View RelatedI've been trying to use BTguard whith vuze but no matter what I try I keep getting this error.Connection Error (Socket Exception:Can't connect to SOCKS proxy:Connection refused : connect(t) I can't really tell where the problem is, with Vuze, Router, BTgaurd.I've been digging through old posts and Google for well over 4+ hours straight, haven't even got out of this chair yet trying to fix this.
View 3 Replies View RelatedI was recently trying to access , a free Japanese Internet radio service. It is region locked (ie. Japan only).I've used Japanese VPN and proxy to try and bypass the lock, but somehow it (the website) knows I'm based in UK (which is where I live). Even through VPN and proxies, is it possible to know where the IP is based?
View 2 Replies View RelatedHow can I bypass the proxy of my school? I cannot access my emails since I am in the UK and my email is provided with a server in China, namely 163.com; the email means a lot to me as it is the only way I can keep in touch with my friends from my old school.
View 1 Replies View Relatedi want to acces the video content of the Dutch television channels, but i am living abroad, they track the ip, see i am not in holland and dont show the content. There are some companies providing a vpn subscription in the Nethderlands for 15 Euro a month and that works perfect, just its a little expensive. Now my hope was to buy a seccond hand vpn router, that i want to put at my parents place in holland, and some how use it in the same way as the vpn service of the company. So using it to connect, and browsing trough this connection to get a Dutch ip.
View 2 Replies View RelatedI can't access some sites, loading times are endless and they look totally strange when I can access them (No images and so on). Sites are completely random, some examples are GamersLegacy.it - Starcraft 2, Diablo 3, Dota2, World of Warcraft, League of Legends, Inferno eSports - Homepage (videogames forum)FINECO: Conto, Investimenti, Trading, Prestiti e Mutui - Banca diretta, online o con promotore (bank) Sigma Draconis
1) Cleaned laptop with Ad-aware and Malwarebytes, found 2 issues but didn't fix the problem.
2) Closed firewall, nothing either.
3) Canghed/flushed DNS, tried both openDNS and GoogleDNS, nothing.
4) She CAN access those sites, she has same connection to the router (via wireless) and she has same OS (Windows Seven). I think that means it's my problem, not a router one.
5) Tried to lower MTU settings in my wireless connection as I read that could be the problem, nothing new here.
6) Here comes the tricky part. I tried to access those sites via proxy (Ninja Cloak | Fast, free, anonymous web browsing with NinjaCloak.com) and they actually work!
How to get Real IP of user that Online via Proxy without using x-forwarded for(When proxy server not trusted)?
View 9 Replies View RelatedI tried to use a different proxy but couldn't access internet at all. it seems all the LAN traffic is forced to go through the LAN proxy.
View 2 Replies View Related