After contacting another organization that was leaking auth, they had to set the following on their ASA as the virtual http command didn't work for them. From the Cisco docs....
If you use HTTP authentication without using the aaa authentication secure-http-client command, the username and password are sent in clear text to the destination web server, and not just to the AAA server. For example, if you authenticate inside users when they access outside web servers, anyone on the outside can learn valid usernames and passwords. We recommend that you use the aaa authentication secure-http-client command whenever you enable HTTP authentication
Add the following command to the PIX/ASA Firewall:
aaa authentication secure-http-client
Cisco Reference Doc: http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html#wp1051298
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment