Obviously, given the way authentication proxy operates, you need to apply authentication proxy to the correct interface or interfaces to intercept traffic. Further, because authentication proxy dynamically creates ACL entries, you can have extremely strict ACLs on interfaces that will be overridden when a user successfully authenticates. In the next several sections, we walk you through the necessary configurations for a successful authentication proxy implementation. Please remember that you must configure the IOS Firewall and an AAA server to use authentication proxy. Enabling Authentication Proxy on CSACSThe first step to configuring the Cisco AAA server, CSACS, is to define groups and the users who will be members of those groups. The group and user concept is the same as it is for a server environment. Groups are defined based on departments or functions, such as the finance department or an operator function. Then, you define users who are members of these groups, and the users inherit the group policy that you configured. Figure 7.1 shows how to configure CSACS for authentication proxy. Figure 7.1. Configuring CSACS for authentication proxy.
After you define users and groups, you must enable the CSACS server to perform authentication proxy services. Doing so is easy. First, click the Interface Configuration icon in the CSACS browser window. Select the Group or the User for which you want to perform authentication proxy. Then, select TACACS+ (Cisco IOS) by clicking that item. Scroll down, and under the New Services section, click the check box to enable a new service. In the Service field, type auth-proxy . Finally, click Submit, Restart when finished. Figure 7.2 shows how to modify groups on CSACS to implement authentication proxy. Figure 7.2. Configuring CSACS groups for authentication proxy.
Creating a User Authentication ProfileAfter you enable the authentication proxy service on CSACS, you need to define the privileges that the group will have. First, click on the Group Setup icon in the CSACS browser window and select a group. Second, scroll down in the browser window for the specific group that you are creating or editing and enable authentication proxy by checking the box for the auth-proxy service. Third, select the check box for Custom Attributes and enter the group's resource privileges in the Custom Attributes field. The entries in the Custom Attributes field are similar to ACL entries in that you can specify protocols, host IP addresses, network addresses, and port numbers . However, the format of the ACE is somewhat different from a router's ACE. If you want to allow the IT group, for example, to use HTTP services, Telnet services, and Trivial File Transfer Protocol (TFTP) services, you configure the ACEs like this in the Custom Attributes field: proxyacl#1=permit tcp any host 30.100.1.253 eq 80 proxyacl#2=permit tcp any 30.200.0.0 0.0.255.255 eq 23 priv-lvl=15 Figure 7.3 shows how to configure authentication proxy rules on CSACS. Figure 7.3. Configuring authentication proxy rules on CSACS.
This code shows just an example of possible ACEs.
Finally, once you finish entering the proxyacl entries, click the Submit + Restart icon so the new configuration can take effect. Configuring IOS Routers for Authentication ProxyYou need to implement a number of configurations for the IOS Firewall to have authentication proxy enabled. You need to configure AAA authentication, AAA authorization, and an AAA server and AAA server key; enable the router's HTTP server; and apply authentication proxy to appropriate interfaces. Enabling Authentication ProxyYour very first step to enabling authentication proxy should be to enable the AAA daemon on the router. If you do not enable the AAA daemon, you will not be able to configure any AAA services. The command to enable the AAA daemon is easy: Router(config)# aaa new-model Figure 7.4 shows how to start AAA services on the router. Figure 7.4. Starting the AAA daemon.
Configuring AAA Server for Authentication ProxyAfter the AAA daemon is enabled, you must define the protocol or protocols that you will be using with authentication proxy. The protocols can be TACACS+ or RADIUS. You can enable either TACACS+ or RADIUS, or you can enable both TACACS+ and RADIUS. The syntax to enable AAA authentication for authentication proxy is Router(config)# aaa authentication login default group method1 method2 Here is an example: Router(config)# aaa authentication login default group tacacs+ group radius local Figure 7.5 shows how to enable AAA authentication for authentication proxy. Figure 7.5. Enabling AAA authentication for authentication proxy on the router.
With this example, the router tries the TACACS+ first, and if the TACACS+ server is unavailable, the router tries the RADIUS server. After the authentication methods are configured, you need to configure AAA authorization for authentication proxy. The syntax to enable AAA authorization for authentication proxy is Router(config)# aaa authorization auth-proxy default group method1 method2 Here is an example: Router(config)# aaa authorization auth-proxy default group tacacs+ group radius Figure 7.6 shows how a Cisco router is configured for authorization. Figure 7.6. Configuring a Cisco router for authorization.
Once again, the router tries the TACACS+ server first, and if the TACACS+ server is unavailable because it is offline or can't be contacted, the router tries the RADIUS server. Connectivity from AAA Server to IOS RouterYou must define the AAA server on the router along with an associated encryption key that the router will use to communicate with the AAA server. If you want to use both TACACS+ and RADIUS with authentication proxy, you must define both protocols. Here is the syntax and examples that define a TACACS+ server: Router(config)# tacacs-server host ip_address Router(config)# tacacs-server host 30.1.1.20 Router(config)# tacacs-server key string Router(config)# tacacs-server key examcramrulz1 Here is the syntax and examples that define a RADIUS server: Router(config)# radius-server host ip_address Router(config)# radius-server host 30.1.1.20 Router(config)# radius-server key string Router(config)# radius-server key examcramrulz1 Figure 7.7 shows how you configure a Cisco router to use a TACACS+ and RADIUS server. Figure 7.7. Configuring a Cisco router to use TACACS+ and RADIUS for AAA.
Notice that the CSACS server can be running both TACACS+ and RADIUS simultaneously on the same box.
Enabling the HTTP Server on the IOS RouterThere are two steps to enabling the router's HTTP server for use with authentication proxy. First, you must enable the HTTP server because it is disabled by default. Second, you must configure the HTTP server to use the AAA server for authentication. Use the following command to enable the router's AAA server: Router(config)# ip http server To enable the HTTP server to use the AAA server, use the following command: Router(config)# ip http authentication aaa Figure 7.8 shows how you configure a Cisco router for HTTP authentication using AAA. Figure 7.8. Configuring a Cisco router for HTTP authentication using AAA.
Configuring the Default Idle Timeout for Authentication ProxyYou can tune the authentication proxy idle timeout value if you choose. The authentication proxy idle timeout value controls the length of time the router will maintain a user's dynamic ACL entries on an interface if the router has not seen any traffic from a specific user. The idle timer also determines the length of time the router will maintain authentication proxy cache entries. The syntax to set the authentication proxy idle timeout value is Router(config)# ip auth-proxy auth-cache-time minutes Here is an example that sets the idle timeout value to 30 minutes: Router(config)# ip auth-proxy auth-cache-time 30 Figure 7.9 shows how you configure a router for the auth-cache timeout value. Figure 7.9. Configuring a Cisco router for the auth-cache timeout value.
|