Configuring Proxy Distribution Tables

Previous page
Table of content
Next page

A Proxy Distribution Table allows you to take a request for authentication and forward it to other ACS devices based on the string prefix or suffix that you define. In this manner, you can authenticate a user from a California ACS through a New York ACS using a Proxy Distribution Table. As mentioned in the previous section, this is enabled based on a suffix or a prefix that is added to the username and configured within the Proxy Distribution Table by you.

When a local ACS sees a user request, the first place that ACS looks is into its database for that user. Assume that the ACS that is in New York sees an authentication request from an AAA client of the ACS in New York and the username and password is a user that is in the ACS California database. Because this user does not exist in the ACS New York database, the authentication would fail; however, with a Proxy Distribution Table configured, the ACS in New York could then forward the authentication request to the California ACS.

Proxy authentication can affect authentication by performing a string match. Suppose the string you want to match is CA\. You would configure the Proxy Distribution Table in New York with the information necessary to forward the request to California. When a user enters a username preceded or followed by the string, the request is forwarded.

In the Proxy Distribution Table, you define a prefix or a suffix. That prefix or suffix is then associated to another ACS server. For example, a New York ACS has an entry in the Proxy Distribution Table for a suffix of CA. When a California user authenticates and that request is sent to a New York ACS, the user then enters his or her username, username.CA. When the New York ACS database determines the string and looks to the Proxy Distribution Table that has an entry for .CA, the authentication request is forwarded. The user is then authenticated to the correct database.

With proxy distribution, you also have the ability to configure ACS with multiple options in that Proxy Distribution Table. The character string that you find actually defines the suffix or the prefix. That suffix or prefix can be up to 32 characters long. The string contains a deliminating character, such as a dot (.) or a slash (/) to determine the breaking point, although this is not required. If you choose to use a prefix string, it would resemble the following:

 Irvine/bcarroll.

In the preceding line of code, bcarroll is the username. Irvine/ defines an entry in the Proxy Distribution Table and, more specifically, the prefix that matches. Keep in mind that you don't need to use a / as the deliminating character. You can actually use just about any character you would like. The slash is just an example. You could just as well use the @ symbol. In that case, your string would resemble the following:

 IRVINE@bcarroll

If you choose to use a suffix, it would resemble the following:

 bcarroll.IRVINE

Again, bcarroll is the username, and .IRVINE is the entry in the Proxy Distribution Table. If the username in the ACS database in Irvine is bcarroll.IRVINE, you want to leave things as is. If the user name is simply bcarroll, you configure stripping so that when the request is forwarded to the ACS in Irvine, the suffix or the prefix is stripped from the message. When you configure stripping, you must take into account the username format on the destination ACS.

When ACS proxies to another ACS, the second ACS responds to the first using only Internet Engineering Task Force (IETF) Remote Authentication Dial-In User Service (RADIUS) attributes if RADIUS is the protocol used. The ACS that receives the authentication request from the first ACS is unable to use any vendor-specific attributes.

To create entries in the Proxy Distribution Table and enable the entire process, you need to follow three major steps:

Step 1.

Configure the local network access server (NAS).

Step 2.

Configure the local AAA server.

Step 3.

Configure the remote AAA server.

We begin with the local AAA server in California. To demonstrate, refer to Figure 9-8. Here, you can see that a user from New York is on the network in California and would like to retrieve information from the Internet.

Figure 9-8. Proxy Distribution Table Example Network


In the California network, the Internet use policy states that you must authenticate to ACS before you are allowed Internet access. Because the user from New York is not in the ACS_CA database, the user's authentication attempt would normally fail.

To cause the attempt to be successful, execute the following steps:

Step 1.

Make sure your PIX Firewall is set up with the following configuration:

[View full width]
 pixfirewall(config)# sh aaa-server aaa-server TACACS+ protocol tacacs+ <--default config aaa-server RADIUS protocol radius  <--default config aaa-server LOCAL protocol local  <--default config aaa-server MYTACACS protocol tacacs+  <--Defines the Protocol aaa-server MYTACACS (outside) host 192.168.1.100 acskey timeout 10 <--Defines the location  of the server and the key pixfirewall(config)#show access-list <- View the ACLs in place access-list ACS; 1 elements <- This ACL is used in AAA to define what to authenticate access-list ACS line 1 permit tcp host 10.0.1.100 any eq www (hitcnt=7) access-list INSIDE; 3 elements <-This ACL defines what traffic is allowed to pass through  the PIX firewall. access-list INSIDE permit tcp any any eq www access-list INSIDE permit tcp any any eq 443 access-list INSIDE deny ip any any pixfirewall(config)# sh access-group <-This displays where the ACL is applied. access-group INSIDE in interface inside pixfirewall(config)# pixfirewall(config)#show aaa <- this shows the ACL- ACS applied in the authentication  statement. aaa authentication match ACS inside MYTACACS pixfirewall(config)#

Step 2.

With the configuration in place on the firewall, you now configure the ACS_CA to view the PIX Firewall as an AAA client. By now you should be pretty comfortable adding AAA clients. Remember that you are using the Terminal Access Controller Access Control System Plus (TACACS+) protocol here.

Step 3.

Next configure the ACS_CA with the proxy distribution information. For this example, you use the @ symbol as the deliminating character, and you perform stripping. Start by selecting Network Configuration.

Step 4.

You need to add the ACS in New York as an AAA server to be able to use it in the Proxy Distribution Table. Select the NDG that you want to work with.

Step 5.

Select the Add Entry button underneath the AAA Servers table. You can refer to Figure 9-9 to see where this button is. As you can see in Figure 9-9, this configuration is taking place in the Not Assigned NDG.

Figure 9-9. Network Configuration


Step 6.

Enter the name of the AAA server in New York.

Step 7.

Enter the IP address of the AAA server.

Step 8.

Enter the key to be used.

Step 9.

Select Submit + Restart.

Step 10.

Next, you use that server in the Proxy Distribution Table to forward authentication requests. Start by selecting the Add Entry button underneath the Proxy Distribution Table. For reference, refer to Figure 9-10. This is not in the Not Assigned NDG.

Figure 9-10. Configuring the Proxy Distribution Table


Step 11.

Enter the character string.

Step 12.

Using the drop-down arrow, select the p\ position. In this example, you use suffix.

Step 13.

Select Yes in the Strip drop-down list.

Step 14.

Select the ACS that you want to forward to, in this case ACS_NY, and click the right arrow button to move this server from the AAA server box on the left to the Forward To box on the right.

Step 15.

Select Submit + Restart.

You can see this configuration in Figure 9-11. In this situation, the user needs to know that when he or she is authenticating when out of town he or she needs to include the suffix @NY in his or her username. If the suffix is not included, the authentication fails.

Figure 9-11. Proxy Distribution Table Parameters


At this point, you would assume that you are done; however, you still have not configured the ACS New York. If you look at this scenario from the perspective of the ACS in New York, when it receives an authentication request from California, it is coming from the ACS_CA and not the pixCA. Therefore, you need to add ACS_CA as an AAA client in the ACS New York. By now, you should be comfortable adding AAA clients to ACS. The configuration is no different than it is with any other AAA client, even though the AAA client, ACS_CA, is an AAA server.

After it is added, you are able to authenticate, and you have just configured a Proxy Distribution Table. Now, you can add more than one server to the table, change the order that ACS proxies, and create a more distributed network.



Previous page
Table of content
Next page
Cisco Access Control Security(c) AAA Administrative Services
Cisco Access Control Security: AAA Administration Services
ISBN: 1587051249
EAN: 2147483647
Year: 2006
Pages: 173
Authors: Brandon James Carroll
BUY ON AMAZON
Documenting Software Architectures: Views and Beyond
Postfix: The Definitive Guide
Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
InDesign Type: Professional Typography with Adobe InDesign CS2
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy