Scribd
Upload
11 views8 pages

Sec BRWSR Auth Bypass

Uploaded by

ahmad.al.adel2
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
11 views8 pages

Sec BRWSR Auth Bypass

Uploaded by

ahmad.al.adel2
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Browser-Based Authentication Bypass

The Browser-Based Authentication Bypass feature enables web browsers to bypass authentication methods
such as HTTP Basic, Web Authorization Proxy, and Windows NT LAN Manager (NTLM) (passive or
explicit). Specific web browsers can be configured for authentication, and other browsers can be configured
to bypass authentication.
This module provides information about the feature and how to configure it.

• Finding Feature Information, page 1


• Prerequisites for Browser-Based Authentication Bypass, page 1
• Information About Browser-Based Authentication Bypass, page 2
• How to Configure Browser-Based Authentication Bypass, page 3
• Configuration Examples for Browser-Based Authentication Bypass, page 6
• Additional References for Browser-Based Authentication Bypass, page 6
• Feature Information for Browser-Based Authentication Bypass, page 7

Finding Feature Information


Your software release may not support all the features documented in this module. For the latest caveats and
feature information, see Bug Search Tool and the release notes for your platform and software release. To
find information about the features documented in this module, and to see a list of the releases in which each
feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Browser-Based Authentication Bypass


• You must configure at least one of these authentication methods—HTTP Basic, Web Authorization
Proxy, or Windows NTLM—with browser-based authentication bypass.
• Use browser-based authentication bypass with the Default User-Group Policy feature.

Security Configuration Guide: Cloud Web Security, Cisco IOS Release 15M&T
1
Browser-Based Authentication Bypass
Information About Browser-Based Authentication Bypass

Information About Browser-Based Authentication Bypass

Browser-Based Authentication Bypass Overview


While using web browsers, as part of the user authentication, a pop-up or dialog box appears in some web
browsers. The Browser-Based Authentication Bypass feature helps to bypass this user authentication and thus
avoid the authentication pop-ups.
With the Browser-Based Authentication Bypass feature, you can configure web browsers that must be
authenticated and browsers that can bypass user authentication. Bypassing is supported for authentication
methods such as HTTP Basic, Web Authorization Proxy, and Windows NT LAN Manager (NTLM) (passive
or explicit).
The Browser-Based Authentication Bypass feature supports the following web browsers:
• Chrome
• Firefox
• Internet Explorer 8 (IE8)
• IE9
• Safari

A network administrator configures a list of regular expression (regex) patterns in the IP admission module.
When the IP admission module receives the HTTP Get request, the module compares the user-agent string
in the HTTP header to the regex pattern that the administrator has configured for the bypass method.
The following rules apply to the Browser-Based Authentication Bypass feature:
• If a configured regex pattern does not match the user-agent field, a web browser is authenticated on the
basis of the configured web authentication method.
• If a configured regex pattern matches the user-agent field, authentication is bypassed for the web browser
and the HTTP traffic goes through to the Cisco Web Security cloud.

Security Configuration Guide: Cloud Web Security, Cisco IOS Release 15M&T
2
Browser-Based Authentication Bypass
How to Configure Browser-Based Authentication Bypass

How to Configure Browser-Based Authentication Bypass

Configuring Browser-Based Authentication Bypass


SUMMARY STEPS

1. enable
2. configure terminal
3. parameter-map type regex regex-map
4. pattern expression
5. exit
6. ip admission name admission-name bypass regex regex-map [absolute-timer minutes]
7. Perform one of the following tasks:
• ip admission name admission-name ntlm
• ip admission name admission-name http-basic
• ip admission name admission-name proxy http

8. interface type number


9. ip admission admission-name
10. end

DETAILED STEPS

Command or Action Purpose


Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Device> enable

Step 2 configure terminal Enters global configuration mode.

Example:
Device# configure terminal

Step 3 parameter-map type regex regex-map Configures a parameter-map type with a regular expression
(regex) to match a specific traffic pattern and enters
Example: parameter-map type inspect configuration mode.

Device(config)# parameter-map type regex


regex-map1

Security Configuration Guide: Cloud Web Security, Cisco IOS Release 15M&T
3
Browser-Based Authentication Bypass
Configuring Browser-Based Authentication Bypass

Command or Action Purpose


Step 4 pattern expression Configures a matching pattern that compares the user-agent
field in the HTTP Get request and the regex pattern.
Example:
Device(config-profile)# pattern Chrome

Step 5 exit Exits parameter-map type inspect configuration mode and


enters global configuration mode.
Example:
Device(config-profile)# exit

Step 6 ip admission name admission-name bypass regex Creates an IP Network Admission Control (NAC) rule to
regex-map [absolute-timer minutes] enable browser-based authentication bypass.

Example:
Device(config)# ip admission name rule1 bypass
regex regex-map1 absolute-timer 10

Step 7 Perform one of the following tasks: Configures one of the following authentication methods:
• ip admission name admission-name ntlm • Windows NT LAN Manager (NTLM)
• ip admission name admission-name http-basic • HTTP Basic
• ip admission name admission-name proxy http • Web Authorization Proxy

Example:
Device(config)# ip admission name rule1 ntlm

Device(config)# ip admission name rule1


http-basic

Device(config)# ip admission name rule1 proxy


http

Step 8 interface type number Configures an interface and enters interface configuration
mode.
Example:
Device(config)# interface gigabitethernet0/1/0

Step 9 ip admission admission-name Creates a Layer 3 Network Admission Control (NAC) rule
to be applied to the interface.
Example:
Device(config-if)# ip admission rule1

Security Configuration Guide: Cloud Web Security, Cisco IOS Release 15M&T
4
Browser-Based Authentication Bypass
Verifying Browser-Based Authentication Bypass

Command or Action Purpose


Step 10 end Exits interface configuration mode and enters privileged
EXEC mode.
Example:
Device(config-if)# end

What to Do Next
For any parameter-map change to be reflected, remove and configure the ip admission name admission-name
bypass regex regex-map [absolute-timer minutes] command in global configuration mode.

Verifying Browser-Based Authentication Bypass


SUMMARY STEPS

1. enable
2. show ip admission cache
3. show ip admission configuration

DETAILED STEPS

Step 1 enable
Enables privileged EXEC mode.
• Enter your password if prompted.

Example:
Device> enable

Step 2 show ip admission cache


Displays the current list of network admission entries and verifies the browser authentication bypass.

Example:
Device# show ip admission cache

Client Name N/A, Client IP 172.31.108.123, Port 63142, timeout 60, Time Remaining 60, state ESTAB
(Browser Auth Bypass)

Step 3 show ip admission configuration


Displays the Network Admission Control (NAC) configuration.

Security Configuration Guide: Cloud Web Security, Cisco IOS Release 15M&T
5
Browser-Based Authentication Bypass
Configuration Examples for Browser-Based Authentication Bypass

Example:
Device# show ip admission configuration

Auth-proxy name webauth-profile


!
browser bypass, regex parameter-map name: reg-map inactivity-time 12 minutes absolute-timer 10 minutes

Configuration Examples for Browser-Based Authentication


Bypass

Example: Configuring Browser-Based Authentication Bypass

Device> enable
Device# configure terminal
Device(config)# parameter-map type regex regex-map1
Device(config-profile)# pattern Chrome
Device(config-profile)# exit
Device(config)# ip admission name rule1 bypass regex regex-map1 absolute-timer 10
Device(config)# ip admission name rule1 ntlm
Device(config)# interface gigabitethernet0/1/0
Device(config-if)# ip admission rule1
Device(config-if)# end

Additional References for Browser-Based Authentication


Bypass
Related Documents

Related Topic Document Title


Cisco IOS commands Cisco IOS Master Command List, All Releases

Security Configuration Guide: Cloud Web Security, Cisco IOS Release 15M&T
6
Browser-Based Authentication Bypass
Feature Information for Browser-Based Authentication Bypass

Related Topic Document Title


Security commands
• Cisco IOS Security Command Reference:
Commands A to C
• Cisco IOS Security Command Reference:
Commands D to L
• Cisco IOS Security Command Reference:
Commands M to R
• Cisco IOS Security Command Reference:
Commands S to Z

Cisco Web Security "Cisco Web Security" module in the Security


Configuration Guide: Zone-Based Policy Firewall

Authenticating and authorizing connections "Configuring Authentication Proxy" module in the


Authentication Proxy Configuration Guide

Technical Assistance

Description Link
The Cisco Support website provides extensive online http://www.cisco.com/support
resources, including documentation and tools for
troubleshooting and resolving technical issues with
Cisco products and technologies.
To receive security and technical information about
your products, you can subscribe to various services,
such as the Product Alert Tool (accessed from Field
Notices), the Cisco Technical Services Newsletter,
and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website
requires a Cisco.com user ID and password.

Feature Information for Browser-Based Authentication Bypass


The following table provides release information about the feature or features described in this module. This
table lists only the software release that introduced support for a given feature in a given software release
train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.
To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Security Configuration Guide: Cloud Web Security, Cisco IOS Release 15M&T
7
Browser-Based Authentication Bypass
Feature Information for Browser-Based Authentication Bypass

Table 1: Feature Information for Browser-Based Authentication Bypass

Feature Name Releases Feature Information


Browser-Based Authentication 15.3(3)M The Browser-Based Authentication
Bypass Bypass feature enables web
browsers to bypass authentication
methods such as HTTP Basic, Web
Authorization Proxy, and Windows
NTLM (passive or explicit).
The following command was
introduced: ip admission name
bypass regex.

Security Configuration Guide: Cloud Web Security, Cisco IOS Release 15M&T
8

You might also like