Options
A10 for Transparent Proxy Authentication
cakrapersada
Member ✭
in System
Hi guys,
I'm not sure whether I should post it under general or aflex subforum because I don't know if it will need aflex or not.
The idea is I'd like to add authentication simultaneously with current transparent proxy system using WCCP and Squid. While Squid states in its FAQ that it can not use authentication with transparent proxy, I use A10 for the authentication task before HTTP request sent to WCCP routers. I use LDAP for external authentication database and use AAM feature in A10.
Currently I have successfully configured A10 so that HTTP request traffic from one client to one website will be authenticated first to LDAP servers and then the authenticated request is sent to upstream. It works fine. The problem is the authentication session lasts for that website only. When the authenticated client browses other websites, A10 requests new authentication for each new hostname. My question is how to make client fills authentication login form only once for every website it browses as long as the idle time not exceeded?
Here is my A10 version and configuration for your reference:
Thunder Series Unified Application Service Gateway TH930
64-bit Advanced Core OS (ACOS) version 4.0.1, build 214 (Mar-30-2015,21:33)
aFleX version: 2.0.0
aXAPI version: 3.0
active-partition WEBAUTH
!
!
interface ethernet 1/5
name inside
enable
ip address 192.168.52.13 255.255.255.248
ip allow-promiscuous-vip
no isis hello padding
!
interface ethernet 1/6
name outside
enable
ip address 192.168.52.5 255.255.255.248
no isis hello padding
!
interface ethernet 2/5
name inside
enable
ip address 192.168.52.14 255.255.255.248
ip allow-promiscuous-vip
!
interface ethernet 2/6
name outside
enable
ip address 192.168.52.6 255.255.255.248
!
!
vrrp-a vrid 1
floating-ip 192.168.52.4
floating-ip 192.168.52.12
device-context 1
blade-parameters
priority 255
!
device-context 1
ip route 0.0.0.0 /0 192.168.52.1
!
device-context 1
ip route 172.16.0.0 /12 192.168.52.9
!
device-context 1
ip route 192.168.50.0 /24 192.168.52.9
!
device-context 2
ip route 0.0.0.0 /0 192.168.52.1
!
device-context 2
ip route 172.16.0.0 /12 192.168.52.9
!
device-context 2
ip route 192.168.50.0 /24 192.168.52.9
!
health monitor ldap-healthmon
method ldap run-search query (objectclass=*) AcceptNotFound
!
aam authentication logon form-based web-logon
portal default-portal
!
!
aam authentication server ldap ldap-primary
host 192.168.5.104
base "mail=Users, dc=something, dc=go, dc=id"
dn-attribute mail
default-domain something.go.id
health-check ldap-healthmon
!
aam authentication server ldap ldap-secondary
host 192.168.5.100
base "mail=Users, dc=something, dc=go, dc=id"
dn-attribute mail
default-domain something.go.id
health-check ldap-healthmon
!
aam authentication log enable
!
slb server upstream 192.168.52.1
health-check-disable
port 80 tcp
health-check-disable
!
aam authentication service-group ldap-sg tcp
member ldap-primary 389
member ldap-secondary 389
!
aam authentication relay form-based web-logon
!
aam authentication template auth-template
type standard
logon web-logon
service-group ldap-sg
log enable
!
aam aaa-policy aaa-auth-policy
aaa-rule 1
action allow
authentication-template auth-template
!
slb service-group upstream-sg tcp
member upstream 80
!
slb virtual-server wild-card-web 0.0.0.0
port 80 http
no-dest-nat
service-group upstream-sg
aaa-policy aaa-auth-policy
!
end
I do appreciate for any help.:)
Thanks,
-Yudhi
I'm not sure whether I should post it under general or aflex subforum because I don't know if it will need aflex or not.
The idea is I'd like to add authentication simultaneously with current transparent proxy system using WCCP and Squid. While Squid states in its FAQ that it can not use authentication with transparent proxy, I use A10 for the authentication task before HTTP request sent to WCCP routers. I use LDAP for external authentication database and use AAM feature in A10.
Currently I have successfully configured A10 so that HTTP request traffic from one client to one website will be authenticated first to LDAP servers and then the authenticated request is sent to upstream. It works fine. The problem is the authentication session lasts for that website only. When the authenticated client browses other websites, A10 requests new authentication for each new hostname. My question is how to make client fills authentication login form only once for every website it browses as long as the idle time not exceeded?
Here is my A10 version and configuration for your reference:
Thunder Series Unified Application Service Gateway TH930
64-bit Advanced Core OS (ACOS) version 4.0.1, build 214 (Mar-30-2015,21:33)
aFleX version: 2.0.0
aXAPI version: 3.0
active-partition WEBAUTH
!
!
interface ethernet 1/5
name inside
enable
ip address 192.168.52.13 255.255.255.248
ip allow-promiscuous-vip
no isis hello padding
!
interface ethernet 1/6
name outside
enable
ip address 192.168.52.5 255.255.255.248
no isis hello padding
!
interface ethernet 2/5
name inside
enable
ip address 192.168.52.14 255.255.255.248
ip allow-promiscuous-vip
!
interface ethernet 2/6
name outside
enable
ip address 192.168.52.6 255.255.255.248
!
!
vrrp-a vrid 1
floating-ip 192.168.52.4
floating-ip 192.168.52.12
device-context 1
blade-parameters
priority 255
!
device-context 1
ip route 0.0.0.0 /0 192.168.52.1
!
device-context 1
ip route 172.16.0.0 /12 192.168.52.9
!
device-context 1
ip route 192.168.50.0 /24 192.168.52.9
!
device-context 2
ip route 0.0.0.0 /0 192.168.52.1
!
device-context 2
ip route 172.16.0.0 /12 192.168.52.9
!
device-context 2
ip route 192.168.50.0 /24 192.168.52.9
!
health monitor ldap-healthmon
method ldap run-search query (objectclass=*) AcceptNotFound
!
aam authentication logon form-based web-logon
portal default-portal
!
!
aam authentication server ldap ldap-primary
host 192.168.5.104
base "mail=Users, dc=something, dc=go, dc=id"
dn-attribute mail
default-domain something.go.id
health-check ldap-healthmon
!
aam authentication server ldap ldap-secondary
host 192.168.5.100
base "mail=Users, dc=something, dc=go, dc=id"
dn-attribute mail
default-domain something.go.id
health-check ldap-healthmon
!
aam authentication log enable
!
slb server upstream 192.168.52.1
health-check-disable
port 80 tcp
health-check-disable
!
aam authentication service-group ldap-sg tcp
member ldap-primary 389
member ldap-secondary 389
!
aam authentication relay form-based web-logon
!
aam authentication template auth-template
type standard
logon web-logon
service-group ldap-sg
log enable
!
aam aaa-policy aaa-auth-policy
aaa-rule 1
action allow
authentication-template auth-template
!
slb service-group upstream-sg tcp
member upstream 80
!
slb virtual-server wild-card-web 0.0.0.0
port 80 http
no-dest-nat
service-group upstream-sg
aaa-policy aaa-auth-policy
!
end
I do appreciate for any help.:)
Thanks,
-Yudhi
Tagged:
0
Comments
We do not support this reference design at the moment. Simultaneous support for AAM(Authentication) and transparent proxy is not supported in our latest 4.0.1 build. However, we have a new feature in the next release called AAM Authentication with Proxy support which will perform both Authentication and proxy at the same time. If you are interested with this feature I suggest to contact your regional SE to get the details of the feature.
Genard
-Yudhi