13-3 Dynamically Authenticate and Authorize Users with Authentication Proxy


13-3 Dynamically Authenticate and Authorize Users with Authentication Proxy

  • Authentication proxy allows a router to intercept HTTP traffic from users and require an authentication if needed.

  • Security policies can be configured and applied on a per- user basis.

  • If a user is not already authenticated, the router prompts for a username and password.

  • After successful authentication, the user's authorization profile is requested from an AAA server. A dynamic Access Control Entry (ACE) is added to an inbound access list, permitting the user's traffic to pass into the network.

  • Authentication proxy must be configured on an inbound interface at the edge of the network.

  • An access list can be used to limit what HTTP traffic can trigger authentication proxy.

Configuration

  1. Configure AAA services.

    Refer to Section 13-2 for information about configuring AAA authentication.

    1. Enable login authentication:

       (global)  aaa authentication login  {  default   list-name  }  method1  [  method2  ...] 

      No special keywords are needed to use authentication proxy with AAA.

    2. Enable AAA authorization to import dynamic access list information:

       (global)  aaa authorization auth-proxy  {  default   list-name  }  method1  [  method2  ...] 

      The auth-proxy keyword must be used to cause AAA authorization to interoperate with authentication proxy. Otherwise, AAA authorization can be configured normally.

    3. Enable AAA accounting to generate an audit or billing trail:

       (global)  aaa accounting auth-proxy  {  default   list-name  } {  start-stop   stop-only   wait-start   none  } [  broadcast  ]  group  {  radius   tacacs+   group-name  } 

      The auth-proxy keyword must be used to cause AAA accounting to interoperate with authentication proxy. Otherwise, AAA authorization can be configured normally. Use the start-stop keyword to generate both start and stop records as the user authenticates and uses the dynamic access list entry.

    4. Configure the AAA server addresses:

       (global)  tacacs-server host   hostname  [  port   port  ] [  timeout   seconds  ] [  key   string  ] 

      -OR-

       (global)  radius-server host  {  hostname   ip-address  } [  auth-port   port  ]   [  acct-port   port  ] [  timeout   seconds  ] [  retransmit   retries  ]   [  alias  {  hostname   ip-address  }] [  key   string  ] 
    5. (Optional) Add TACACS+ or RADIUS traffic to any inbound access lists:

       (global)  access-list   acc-list-number   permit tcp host   aaa-server   eq  {  tacacs   radius  }  host   router-address  

      Allow return (inbound) AAA traffic from the IP address of the aaa-server to the inbound interface IP address of the authentication proxy router interface to be permitted. Otherwise, when authentication proxy requests the user authorization information, the replies might be filtered out.

  2. Use the HTTP server on the router.

    1. Enable the HTTP server:

       (global)  ip http server  

      The HTTP server is used to present a username/password authentication prompt to the user.

    2. Use AAA authentication for the HTTP server:

       (global)  ip http authentication aaa  
    3. Define an access list to deny all inbound traffic to the HTTP server

       (global)  access-list   acc-list-number   deny ip any any  (global)  ip http access-class   acc-list-number  

      An IP access list (either standard or extended) is needed to make sure no outside user can initiate a connection to the router's HTTP server. The HTTP server is used only for outbound traffic, to present prompts to the user.

  3. Enable authentication proxy.

    1. (Optional) Define an authentication idle timeout

       (global)  ip auth-proxy auth-cache-time   minutes  

      Authentication proxy keeps a cache of authenticated users. After user traffic has been idle for minutes (1 to 2147483647; the default is 60), the dynamic access list entry for the user is removed, and the user must authenticate again.

    2. (Optional) Display the router host name in the login banner:

       (global)  ip auth-proxy auth-proxy-banner  

      By default, the authentication proxy banner is disabled, preventing the router's name from being seen.

    3. Specify an authentication proxy rule:

       (global)  ip auth-proxy name   auth-proxy-name   http  [  auth-cache-time   minutes  ]   [  list   std-access-list  ] 

      The rule is associated with an arbitrary ruleset named auth-proxy-name (up to 16 characters ). The http keyword is used to trigger authentication proxy with HTTP traffic. The cache timeout can be overridden from the default, with auth-cache-time given in minutes (1 to 2147483647; the default comes from the ip auth-proxy auth-cache-time command).

      A standard IP access list can be used to limit what HTTP traffic triggers authentication proxy. If used, the list is referenced as std-access-list (1 to 99). It must contain permit statements for the source addresses that trigger the authentication process. Other addresses that are denied are passed normally, without triggering authentication proxy. If no access is specified, all HTTP traffic is intercepted and is subject to authentication proxy.

    4. Apply an authentication proxy rule to an inbound interface:

       (interface)  ip auth-proxy   auth-proxy-name  

      The authentication proxy rule named auth-proxy-name is used to define whether incoming traffic requires authentication.

  4. Configure user profiles in an AAA server.

    1. Define an auth-proxy section in the user profile:

        default authorization = permit   key = cisco   user =   username  {  login = cleartext   password   service = auth-proxy  
    2. Define a privilege level for the user:

       priv-lvl=15 

      The privilege level must be 15 for all users who are authorized through authentication proxy.

    3. Define the dynamic access list entries for the user:

        proxyacl#1="permit   protocol   any ..."   proxyacl#2="permit   protocol   any ..."  ... 

      Enter the access list rules under the attribute values of the form proxyacl#n. The attributes must be entered exactly as if you were configuring access list statements on the router. Always use the source address any in the rules. As soon as authentication proxy imports the access list rules, it replaces any with the source address of the host that the user is using.

Example

Authentication proxy is configured to inspect all inbound HTTP traffic and to authenticate any users who aren't already authenticated. TACACS+ servers at 192.168.14.55 and 192.168.14.56 are used for authentication, authorization, and accounting in conjunction with authentication proxy. The authentication proxy rule named Corporate is defined so that all users using HTTP from any source address are required to authenticate. The AAA authorization policies configured in the TACACS+ servers are retrieved for each user to determine what resources the user is allowed to access.

  aaa new-model   tacacs-server host 192.168.14.55   tacacs-server host 192.168.14.56   tacacs-server key mysecretkey   aaa authentication login default group tacacs+   aaa authorization auth-proxy default group tacacs+   aaa accounting auth-proxy default start-stop group tacacs+   access-list 10 deny any   ip http server   ip http authentication aaa   ip http access-class 10   ip auth-proxy auth-cache-time 120   ip auth-proxy name Corporate http   interface fastethernet 3/1   ip address 10.14.21.10 255.255.255.0   ip auth-proxy Corporate  


Cisco Field Manual[c] Router Configuration
Cisco Field Manual[c] Router Configuration
ISBN: 1587050242
EAN: N/A
Year: 2005
Pages: 185

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net