Defining Authentication Proxy


Included with the IOS Firewall, authentication proxy is a very interesting service that runs on IOS routers. In the most basic terms, authentication proxy authenticates users, and after authentication, authentication proxy determines what resources a user is allowed to access. The key to understanding authentication proxy is that the IOS router communicates with a TACACS+ or RADIUS server to retrieve user information. It is on the TACACS+ or RADIUS server that you configure and define users along with associated privileges for those users.

graphics/alert_icon.gif

Authentication proxy uses HTTP to authenticate users. Authentication proxy is HTTP-based authentication.


Features

Authentication proxy works on all interfaces, once applied to an interface, and provides services for both inbound and outbound traffic. Note that authentication proxy works only on the interfaces it is applied to. AAA accounting is not supported with authentication proxy. However, AAA authentication and authorization are supported.

Authentication proxy can be run in conjunction (and therefore is compatible) with other Cisco router services such as context-based access control (CBAC), IP Security (IPSec), and network address translation (NAT).

graphics/alert_icon.gif

The key to authentication proxy is that it is dynamic, per-user authentication and authorization using either a TACACS+ server or a RADIUS server.


How Does Authentication Proxy Work?

Authentication proxy is activated when a user initiates an HTTP session (sends traffic) that goes through the IOS Firewall. First, the IOS Firewall's authentication proxy service intercepts the user's traffic and temporarily prevents the user's traffic from reaching its ultimate destination. The authentication proxy services temporarily intercepts the user's traffic for authentication and authorization to take place.

Second, after the session is suspended , the authentication proxy service sends a packet back to the user. The user receives an HTTP page prompting the user for authentication credentials in the form of a username and password. The user clicks OK to send the credentials back to the IOS Firewall.

Third, the IOS Firewall sends the user's authentication credentials to an AAA TACACS+ or AAA RADIUS server. The AAA server checks the user's username and password against the credentials that are configured on the AAA server itself, or it uses an external database that houses the user's credentials.

If the AAA server authentication check is successful based on the user's supplied username and password, the AAA server sends a packet back to the IOS Firewall. The information sent from the AAA server to the IOS Firewall contains the specific user's authorization profile if authentication was successful. The user's authorization profile contains a list of rights that the user has.

If authentication fails, the router prompts the user with multiple retries. If the user fails to authenticate after five attempts, the user must wait 2 minutes before attempting to authenticate again. This way, authentication proxy protects against brute-force attacks.

The AAA server sends a packet back whether the authentication is successful or not or authorization is successful or not. A response is always sent to the router.

The authorization that is downloaded by the IOS Firewall is then used to dynamically create access control list (ACL) entries to allow specific user traffic. The dynamic ACL entries are applied to inbound traffic on the source interface from which the user's traffic initiated and also to outbound traffic to the exit interface for the user's traffic.

Finally, an HTTP pop-up window on the user's PC indicates whether the user has successfully authenticated. The user's browser is refreshed with the URL of its original, intended destination, and the traffic is allowed to flow if it is allowed by the dynamic ACLs.

graphics/alert_icon.gif

Know the order of operation for authentication proxy.




CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net