Configuring Authentication Proxy | CCSP SECUR Exam Cram 2 (642-501)

Obviously, given the way authentication proxy operates, you need to apply authentication proxy to the correct interface or interfaces to intercept traffic. Further, because authentication proxy dynamically creates ACL entries, you can have extremely strict ACLs on interfaces that will be overridden when a user successfully authenticates.

In the next several sections, we walk you through the necessary configurations for a successful authentication proxy implementation. Please remember that you must configure the IOS Firewall and an AAA server to use authentication proxy.

Enabling Authentication Proxy on CSACS

The first step to configuring the Cisco AAA server, CSACS, is to define groups and the users who will be members of those groups. The group and user concept is the same as it is for a server environment. Groups are defined based on departments or functions, such as the finance department or an operator function. Then, you define users who are members of these groups, and the users inherit the group policy that you configured. Figure 7.1 shows how to configure CSACS for authentication proxy.

Figure 7.1. Configuring CSACS for authentication proxy.

graphics/07fig01.jpg

After you define users and groups, you must enable the CSACS server to perform authentication proxy services. Doing so is easy. First, click the Interface Configuration icon in the CSACS browser window. Select the Group or the User for which you want to perform authentication proxy. Then, select TACACS+ (Cisco IOS) by clicking that item. Scroll down, and under the New Services section, click the check box to enable a new service. In the Service field, type auth-proxy . Finally, click Submit, Restart when finished.

Figure 7.2 shows how to modify groups on CSACS to implement authentication proxy.

Figure 7.2. Configuring CSACS groups for authentication proxy.

graphics/07fig02.jpg

You enable authentication proxy services on the CSACS server by enabling a new service and entering the new service name. For authentication proxy, the new service name is auth-proxy .

Creating a User Authentication Profile

After you enable the authentication proxy service on CSACS, you need to define the privileges that the group will have. First, click on the Group Setup icon in the CSACS browser window and select a group. Second, scroll down in the browser window for the specific group that you are creating or editing and enable authentication proxy by checking the box for the auth-proxy service. Third, select the check box for Custom Attributes and enter the group's resource privileges in the Custom Attributes field.

The entries in the Custom Attributes field are similar to ACL entries in that you can specify protocols, host IP addresses, network addresses, and port numbers . However, the format of the ACE is somewhat different from a router's ACE.

If you want to allow the IT group, for example, to use HTTP services, Telnet services, and Trivial File Transfer Protocol (TFTP) services, you configure the ACEs like this in the Custom Attributes field:

 proxyacl#1=permit tcp any host 30.100.1.253 eq 80 proxyacl#2=permit tcp any 30.200.0.0 0.0.255.255 eq 23 priv-lvl=15

Figure 7.3 shows how to configure authentication proxy rules on CSACS.

Figure 7.3. Configuring authentication proxy rules on CSACS.

graphics/07fig03.jpg

This code shows just an example of possible ACEs.

Only permit proxyacl entries are allowed.

You must set the privileged level to 15 for all users by using the command priv-lvl=15 .

You must use the keyword any for the source IP address. The IOS Firewall router will replace the any keyword for the source IP address in the proxyacl entry with the actual source IP address of the authenticated user when the router creates the dynamic ACEs.

Finally, once you finish entering the proxyacl entries, click the Submit + Restart icon so the new configuration can take effect.

Configuring IOS Routers for Authentication Proxy

You need to implement a number of configurations for the IOS Firewall to have authentication proxy enabled. You need to configure AAA authentication, AAA authorization, and an AAA server and AAA server key; enable the router's HTTP server; and apply authentication proxy to appropriate interfaces.

Enabling Authentication Proxy

Your very first step to enabling authentication proxy should be to enable the AAA daemon on the router. If you do not enable the AAA daemon, you will not be able to configure any AAA services.

The command to enable the AAA daemon is easy:

 Router(config)# aaa new-model

Figure 7.4 shows how to start AAA services on the router.

Figure 7.4. Starting the AAA daemon.

graphics/07fig04.gif

The AAA daemon is disabled by default.

Configuring AAA Server for Authentication Proxy

After the AAA daemon is enabled, you must define the protocol or protocols that you will be using with authentication proxy. The protocols can be TACACS+ or RADIUS. You can enable either TACACS+ or RADIUS, or you can enable both TACACS+ and RADIUS.

The syntax to enable AAA authentication for authentication proxy is

 Router(config)# aaa authentication login default group  method1 method2

Here is an example:

 Router(config)# aaa authentication login default group tacacs+ group radius local

Figure 7.5 shows how to enable AAA authentication for authentication proxy.

Figure 7.5. Enabling AAA authentication for authentication proxy on the router.

graphics/07fig05.gif

With this example, the router tries the TACACS+ first, and if the TACACS+ server is unavailable, the router tries the RADIUS server.

After the authentication methods are configured, you need to configure AAA authorization for authentication proxy.

The syntax to enable AAA authorization for authentication proxy is

 Router(config)# aaa authorization auth-proxy default group  method1 method2

Here is an example:

 Router(config)# aaa authorization auth-proxy default group tacacs+ group radius

Figure 7.6 shows how a Cisco router is configured for authorization.

Figure 7.6. Configuring a Cisco router for authorization.

graphics/07fig06.gif

Once again, the router tries the TACACS+ server first, and if the TACACS+ server is unavailable because it is offline or can't be contacted, the router tries the RADIUS server.

Connectivity from AAA Server to IOS Router

You must define the AAA server on the router along with an associated encryption key that the router will use to communicate with the AAA server. If you want to use both TACACS+ and RADIUS with authentication proxy, you must define both protocols.

Here is the syntax and examples that define a TACACS+ server:

 Router(config)# tacacs-server host  ip_address  Router(config)# tacacs-server host 30.1.1.20 Router(config)# tacacs-server key  string  Router(config)# tacacs-server key examcramrulz1

Here is the syntax and examples that define a RADIUS server:

 Router(config)# radius-server host  ip_address  Router(config)# radius-server host 30.1.1.20 Router(config)# radius-server key  string  Router(config)# radius-server key examcramrulz1

Figure 7.7 shows how you configure a Cisco router to use a TACACS+ and RADIUS server.

Figure 7.7. Configuring a Cisco router to use TACACS+ and RADIUS for AAA.

graphics/07fig07.gif

Notice that the CSACS server can be running both TACACS+ and RADIUS simultaneously on the same box.

It is extremely important that the key configured on the router exactly matches the key configured on the AAA server. If the keys are different, your router will not be able to talk to the AAA server, and the AAA server will not be able to talk to the router.

You can configure both the TACACS+ server and key and the RADIUS server and key on a single line instead of using two lines for each protocol.

Here is an example for TACACS+ using one line:

 Router(config)# tacacs-server host 30.1.1.20 key examcramrulz1

You must ensure that any existing access lists that you have configured are allowing, and therefore not blocking, either the TACACS+ protocol or the RADIUS protocol or both.

Enabling the HTTP Server on the IOS Router

There are two steps to enabling the router's HTTP server for use with authentication proxy. First, you must enable the HTTP server because it is disabled by default. Second, you must configure the HTTP server to use the AAA server for authentication.

Use the following command to enable the router's AAA server:

 Router(config)# ip http server

To enable the HTTP server to use the AAA server, use the following command:

 Router(config)# ip http authentication aaa

Figure 7.8 shows how you configure a Cisco router for HTTP authentication using AAA.

Figure 7.8. Configuring a Cisco router for HTTP authentication using AAA.

graphics/07fig08.gif

Configuring the Default Idle Timeout for Authentication Proxy

You can tune the authentication proxy idle timeout value if you choose. The authentication proxy idle timeout value controls the length of time the router will maintain a user's dynamic ACL entries on an interface if the router has not seen any traffic from a specific user. The idle timer also determines the length of time the router will maintain authentication proxy cache entries.

The syntax to set the authentication proxy idle timeout value is

 Router(config)# ip auth-proxy auth-cache-time  minutes

Here is an example that sets the idle timeout value to 30 minutes:

 Router(config)# ip auth-proxy auth-cache-time 30

Figure 7.9 shows how you configure a router for the auth-cache timeout value.

Figure 7.9. Configuring a Cisco router for the auth-cache timeout value.

graphics/07fig09.gif

The default authentication proxy idle timeout value is 60 minutes.

It is important to configure the authentication proxy idle timeout to a value that is higher than the CBAC idle timeout value if you are using CBAC. If you set the authentication proxy idle timeout to a value that is less than the CBAC idle timeout value, idle connections might hang.