Configuring Authentication Proxy Rules


As stated previously, you must apply authentication proxy rules to at least one interface. To apply an authentication proxy rule, you must create a named rule. The syntax to create a named authentication proxy rule is

 
 Router(config)# ip auth-proxy name  auth-proxy-name  http 

You can also override the global authentication proxy idle time by using this syntax:

 
 Router(config)# ip auth-proxy name  auth-proxy-name  http auth-cache-time  minutes  

Here is an example of creating an authentication proxy rule named TANKLIVES :

 
 Router(config)# ip auth-proxy name TANKLIVES http 

The use of uppercase or lowercase characters is arbitrary. However, we like to use uppercase characters to easily distinguish between commands, keywords, and user -defined names .

You can also use ACLs with authentication proxy. When you use ACLs with authentication proxy, only specific networks or hosts are required to use authentication proxy. As the network administrator, you really don't want to have to authenticate, do you?

The syntax to create a named authentication proxy rule with an access list is

 
 Router(config)# ip auth-proxy name  auth-proxy-name  http list  standard  -  acl-number  

Here is an example of creating an authentication proxy rule named MORPHEUS with a standard IP access list that is numbered 28:

 
 Router(config)# ip auth-proxy name MORPHEUS http list 28 

Figure 7.10 shows how you configure a Cisco router for authentication proxy using an ACL.

Figure 7.10. Configuring Cisco Router for authentication proxy using ACLs.

graphics/07fig10.gif

graphics/alert_icon.gif

The permit entries in the IP access list indicate that those hosts or networks that are specified with the permit keyword must authenticate using authentication proxy. The deny keyword in ACEs indicates that those hosts or networks do not need to authenticate with authentication proxy.


graphics/alert_icon.gif

Newer versions of the IOS allow for the use of both standard named or number and extended named or number IP access lists with authentication proxy. However, Cisco course curriculum for authentication proxy indicates that you can use only standard numbered IP access lists. If given a single-answer selection question, go with standard numbered IP access lists.




CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net