13-3 Dynamically Authenticate and Authorize Users with Authentication Proxy -
Authentication proxy allows a router to intercept HTTP traffic from users and require an authentication if needed. -
Security policies can be configured and applied on a per- user basis. -
If a user is not already authenticated, the router prompts for a username and password. -
After successful authentication, the user's authorization profile is requested from an AAA server. A dynamic Access Control Entry (ACE) is added to an inbound access list, permitting the user's traffic to pass into the network. -
Authentication proxy must be configured on an inbound interface at the edge of the network. -
An access list can be used to limit what HTTP traffic can trigger authentication proxy. Configuration -
Configure AAA services. Refer to Section 13-2 for information about configuring AAA authentication. -
Enable login authentication: (global) aaa authentication login { default list-name } method1 [ method2 ...] No special keywords are needed to use authentication proxy with AAA. -
Enable AAA authorization to import dynamic access list information: (global) aaa authorization auth-proxy { default list-name } method1 [ method2 ...] The auth-proxy keyword must be used to cause AAA authorization to interoperate with authentication proxy. Otherwise, AAA authorization can be configured normally. -
Enable AAA accounting to generate an audit or billing trail: (global) aaa accounting auth-proxy { default list-name } { start-stop stop-only wait-start none } [ broadcast ] group { radius tacacs+ group-name } The auth-proxy keyword must be used to cause AAA accounting to interoperate with authentication proxy. Otherwise, AAA authorization can be configured normally. Use the start-stop keyword to generate both start and stop records as the user authenticates and uses the dynamic access list entry. -
Configure the AAA server addresses: (global) tacacs-server host hostname [ port port ] [ timeout seconds ] [ key string ] -OR- (global) radius-server host { hostname ip-address } [ auth-port port ] [ acct-port port ] [ timeout seconds ] [ retransmit retries ] [ alias { hostname ip-address }] [ key string ] -
(Optional) Add TACACS+ or RADIUS traffic to any inbound access lists: (global) access-list acc-list-number permit tcp host aaa-server eq { tacacs radius } host router-address Allow return (inbound) AAA traffic from the IP address of the aaa-server to the inbound interface IP address of the authentication proxy router interface to be permitted. Otherwise, when authentication proxy requests the user authorization information, the replies might be filtered out. -
Use the HTTP server on the router. -
Enable the HTTP server: (global) ip http server The HTTP server is used to present a username/password authentication prompt to the user. -
Use AAA authentication for the HTTP server: (global) ip http authentication aaa -
Define an access list to deny all inbound traffic to the HTTP server (global) access-list acc-list-number deny ip any any (global) ip http access-class acc-list-number An IP access list (either standard or extended) is needed to make sure no outside user can initiate a connection to the router's HTTP server. The HTTP server is used only for outbound traffic, to present prompts to the user. -
Enable authentication proxy. -
(Optional) Define an authentication idle timeout (global) ip auth-proxy auth-cache-time minutes Authentication proxy keeps a cache of authenticated users. After user traffic has been idle for minutes (1 to 2147483647; the default is 60), the dynamic access list entry for the user is removed, and the user must authenticate again. -
(Optional) Display the router host name in the login banner: (global) ip auth-proxy auth-proxy-banner By default, the authentication proxy banner is disabled, preventing the router's name from being seen. -
Specify an authentication proxy rule: (global) ip auth-proxy name auth-proxy-name http [ auth-cache-time minutes ] [ list std-access-list ] The rule is associated with an arbitrary ruleset named auth-proxy-name (up to 16 characters ). The http keyword is used to trigger authentication proxy with HTTP traffic. The cache timeout can be overridden from the default, with auth-cache-time given in minutes (1 to 2147483647; the default comes from the ip auth-proxy auth-cache-time command). A standard IP access list can be used to limit what HTTP traffic triggers authentication proxy. If used, the list is referenced as std-access-list (1 to 99). It must contain permit statements for the source addresses that trigger the authentication process. Other addresses that are denied are passed normally, without triggering authentication proxy. If no access is specified, all HTTP traffic is intercepted and is subject to authentication proxy. -
Apply an authentication proxy rule to an inbound interface: (interface) ip auth-proxy auth-proxy-name The authentication proxy rule named auth-proxy-name is used to define whether incoming traffic requires authentication. -
Configure user profiles in an AAA server. -
Define an auth-proxy section in the user profile: default authorization = permit key = cisco user = username { login = cleartext password service = auth-proxy -
Define a privilege level for the user: priv-lvl=15 The privilege level must be 15 for all users who are authorized through authentication proxy. -
Define the dynamic access list entries for the user: proxyacl#1="permit protocol any ..." proxyacl#2="permit protocol any ..." ... Enter the access list rules under the attribute values of the form proxyacl#n. The attributes must be entered exactly as if you were configuring access list statements on the router. Always use the source address any in the rules. As soon as authentication proxy imports the access list rules, it replaces any with the source address of the host that the user is using. Example Authentication proxy is configured to inspect all inbound HTTP traffic and to authenticate any users who aren't already authenticated. TACACS+ servers at 192.168.14.55 and 192.168.14.56 are used for authentication, authorization, and accounting in conjunction with authentication proxy. The authentication proxy rule named Corporate is defined so that all users using HTTP from any source address are required to authenticate. The AAA authorization policies configured in the TACACS+ servers are retrieved for each user to determine what resources the user is allowed to access. aaa new-model tacacs-server host 192.168.14.55 tacacs-server host 192.168.14.56 tacacs-server key mysecretkey aaa authentication login default group tacacs+ aaa authorization auth-proxy default group tacacs+ aaa accounting auth-proxy default start-stop group tacacs+ access-list 10 deny any ip http server ip http authentication aaa ip http access-class 10 ip auth-proxy auth-cache-time 120 ip auth-proxy name Corporate http interface fastethernet 3/1 ip address 10.14.21.10 255.255.255.0 ip auth-proxy Corporate |