Case Studies

So far we have seen how CBAC with ACL can filter the traffic based on the IP address and port numbers. This section looks into a feature of IOS Firewall called auth-proxy that allows you to control the traffic based on the user name. This feature allows security administrators to apply specific security policies on a per-user basis. Users are authenticated and authorized according to their profiles in a Terminal Access Controller Access Control System (TACACS+) or Remote Authentication Dial-In User Service) RADIUS server.

How auth-proxy Works

Before getting into the details of the troubleshooting steps of auth-proxy, you must first understand how auth-proxy works. Figure 5-6 illustrates the mechanics of auth-proxy.

Figure 5-6. Auth-proxy Operation

The following sequence describes the steps outlined in Figure 5-6:


The user initiates a HTTP (HTTPS/FTP/Telnet) connection going through the router. The router intercepts the request and starts auth-proxy. If the user has already been authenticated, the connection is completed with no further auth-proxy activity.


If there is no authentication info for this user, the user is prompted for username and password.


If the authentication succeeds, the user's authorization profile is downloaded from the Authentication, Authorization and Accounting (AAA) server, which contains an ACL that is then dynamically created by the router based on the source IP address of the client. This dynamic ACL is then stored in the hashed storage, which is called the Authorization cache.


In the final step, the Auth Proxy router refreshes the client's HTML request for reload and directs it to the target URL.

Method of Authentication

User authentication for auth-proxy can be performed using one of four methods: HTTP, Secure HTTP (HTTPS), Telnet, or FTP. HTTPS support for auth-proxy was first introduced in IOS version 12.2(11)YU, and was first integrated in version 12.2(15)T. However, FTP and Telnet support was introduced in IOS version 12.3(1). The mechanism of auth-proxy is the same regardless of methods for authentication being used. For HTTP, TELNET or FTP authentication, username and password goes in clear text from client to the router. If you want to encrypt the packets, you need to configure HTTPS. Ensure that the Cisco IOS image supports crypto (*k9) to be able to configure HTTPS.

Supported Platform

Auth-proxy is supported in many Cisco router platforms. Among them are Cisco 800 Series, Cisco 900 Series, Cisco 1700 Series, Cisco 2600 series, Cisco 3600 series, Cisco 3700, Cisco 7100, and Cisco 7200 series, Cisco 7500 Series, and Catalyst Series Routers.

Configuration Steps

The following steps walk you through the configuration of auth-proxy:

Step 1.

Configure AAA (required) on the router:

Router#show running-configuration aaa new-model aaa authentication login default tacacs+ | radius aaa authorization auth-proxy default tacacs+ | radius tacacs-server host hostname | ip-address tacacs-server key string radius-server host hostname | ip-address radius-server key string 

Step 2.

Configure the user's profile in the TACACS+ or RADIUS server. The output that follows is a sample profile output in TACACS+ in Cisco Secure ACS Unix. This same syntax can be mapped to Cisco Secure ACS on Windows. It is shown in Cisco Secure ACS Unix to show the syntax in the text.

default authorization = permit key = cisco user = newuser1 { login = cleartext cisco service = auth-proxy { priv-lvl=15 proxyacl#1="permit tcp any any eq 26" proxyacl#2="permit icmp any host" proxyacl#3="permit tcp any any eq smtp" proxyacl#4="permit tcp any any eq telnet" } } 

The RADIUS protocol has a similar profile:

user = proxy{ radius=Cisco { check_items= { 2="proxy" } reply_attributes= { 9,1="auth-proxy:priv-lvl=15" 9,1="auth-proxy:proxyacl#1=permit icmp any any" 9,1="auth-proxy:proxyacl#2=permit tcp any any" 9,1="auth-proxy:proxyacl#3=permit udp any any" } } } 

Step 3.

Configure the HTTP Server (required)

Router#show running-config ip http server /* Enables the HTTP server on the router.*/ ip http authentication aaa /* Sets authentication to follow aaa rules */ ip http access-class access-list-number /* ACL to control access to HTTP Server */ 

Step 4.

Configure the authentication proxy (required). First, you must turn on auth-proxy as follows:

Router#show running-config .... ! Sets the proxy idle timeout, def. 60 minutes. ip auth-proxy auth-cache-time min ! Displays the name of the firewall router in the authentication proxy login ! page. ip auth-proxy auth-proxy-banner ! Defines the AuthProxy rule. Only hosts matching the ACL will be intercepted. ip auth-proxy name auth-proxy-name http  [auth-cache-time min] [list std-access-list] ! Apply auth-proxy on the interface. interface type number ip auth-proxy auth-proxy-name 

A complete configuration of auth-proxy is shown in Example 5-22.

Example 5-22. A Complete Auth-proxy Configuration on the Router

Router#show running-config ! Removed irreverent configuration for simplicity. ! ! Define what needs to be be authenticated.  aaa authentication login default group radius none  aaa authorization exec default group radius none  aaa authorization auth-proxy default group radius ! The following line will set up the banner.  ip auth-proxy auth-proxy-banner  ! ! Set ACL entries to timeout after 10 minutes.   ip auth-proxy auth-cache-time 10  ! ! Set the list name to be associated with interface.   ip auth-proxy name my_auth_proxy_list http  ip audit notify log interface Ethernet0 ip address !Apply the access list to the interface   ip access-group 110 in ! Apply the auth-proxy list name.   ip auth-proxy my_auth_proxy_list  ! ! Enable http server and authentication.  ip http server  ip http authentication aaa  ! ! This access list is used for auth-proxy. It's always a good ! idea to test the auth-proxy with just a single host instead before applying ! for all production traffic to minimize the downtime. In the following access- ! list 110, host is denied access anything but the router's interface ! Ethernet 0 which ip address is Rest of the traffic is allowed. This ! means, only traffic from going through the router will be redirected ! to interface Ethernet 0, which ip address is and then incepted and ! authenticated by the auth-proxy. access-list 110 permit tcp host host eq www access-list 110 deny ip host any access-list 110 permit ip any any ! ! Radius Server is defined by the following lines.  radius-server host  radius-server key cisco Router# 

Now that you are comfortable with the auth-proxy configuration, you are ready to walk though a detailed description of auth-proxy troubleshooting as presented in the section that follows.

Troubleshooting auth-proxy

Troubleshooting auth-proxy is fairly simple. Most of the problems that arise with auth-proxy are caused by misconfiguration and lack of understanding. Take steps to resolve the following questions to troubleshoot any auth-proxy-related issues.

Step 1.

Are you sending HTTP/HTTPS/FTP/Telnet traffic across the router or to the interface?

Be sure you are sending initial traffic across the router, not to the router's directly connected interface towards the client. The first packet must be routed to another interface of the router for the router to trigger auth-proxy. If you do not see the User Name and Password prompt for the auth-proxy, you may be sending packets to the interface of the router instead of through the interface.

Step 2.

Do you get the authentication prompt?

If you are sending the initial packets across the router and still don't get the authentication prompt, be sure you have applied the auth-proxy under the interface.

Step 3.

Is the ACL allowing First Authentication Packet to the incoming interface ACL?

You must define an inbound ACL on the interface facing towards the client so that it denies all the traffic that you want to authenticate. However, the client's HTTP/HTTPS/FTP/Telnet traffic must be permitted to the interface itself. So, even though the client will attempt connection across the router, that connection will be redirected by the router to the interface where auth-proxy is configured. Hence, the ACL that is applied on the interface, where auth-proxy name is applied, should allow HTTP, HTTPS, Telnet, or FTP traffic to the interface IP address from the auth-proxy client. Otherwise, the connection request by the auth-proxy client across the router will be dropped by the ACL before triggering the auth-proxy. After authenticated and authorized, the downloadable ACL from the AAA server will decide which connections are allowed or denied by the router for the traffic that goes across the router.

Step 4.

If Steps 13 are verified and you get the authentication prompt, but authentication fails, the problem is with authentication and or authorization (refer to Chapter 9, "Troubleshooting AAA on IOS Routers"). If you run debug aaa authentication, debug aaa authorization, and debug radius or debug tacacs, and if you are having AAA issues, Table 5-5 will help in identifying the cause of the problem.

Table 5-5. Messages Returned by AAA debug Commands for User Authentication Failure

Protocols Used

Messages shown with AAA debug

Reasons for Failure

What the User Sees


AAA/AUTHEN (1587177845): status = ERROR

RADIUS/TACACS+ server is unreachable

500 Internal Server Error


Access-Reject & status = FAIL

Wrong Username/password

Authentication Failed


AUTHEN status = FAIL & status=FAIL

Wrong Username/password

Authentication Failed


received author response status = FAIL & Post authorization status = FAIL

Successful authentication but authorization fails

Authentication Failed


Debug shows the acl is downloaded but not getting applied due to bad format.

ACL returns in invalid format

Authentication Successful but user unable to pass traffic



Priv-lvl 15 is not downloaded

Authentication Failed

If implemented appropriately, auth-proxy along with CBAC can be a very powerful firewall tool for your network security. The section that follows discusses some of the common questions and confusions regarding CBAC.

Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: