Authentication Proxy
Problem
You want the router to separately authenticate and authorize individual users as they access restricted resources.
Solution
To enable an IOS-based authentication proxy, use the following commands:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#aaa new-model Router1(config)#aaa authorization auth-proxy default local Router1(config)#ip auth-proxy auth-proxy-banner http Router1(config)#ip auth-proxy name HTTPPROXY http Router1(config)#ip admission auth-proxy-banner http Router1(config)#interface FastEthernet0/0 Router1(config-if)#ip auth-proxy HTTPPROXY Router1(config-if)#ip http server Router1(config)#ip http authentication local Router1(config)#end Router1#
Discussion
Cisco authentication proxy is an intercepting proxy that requires users to authenticate before being allowed to access resources behind the proxy. Because it operates as an intercepting proxy, it means that placement of the router is vital, since it can only authenticate sessions that transverse the router. Generally, this means that the proxy must be placed at a network choke point, such as the link to the Internet, for instance.
Since Cisco authentication proxy is designed to act as an intercepting proxy, there is no need for end users to configure their browsers to point to the proxy server. The router will automatically intercept all sessions and force the end users to authenticate before they can access resources behind the proxy. The first time a user attempts to access a web site the router will present them with an authentication screen. After the user submits his correct username and password then he is free to surf as normal.
General uses for authentication proxies are Internet cafes, public wireless access providers, and organizations that wish to control access to the Internet. In all instances, users will be forced to authenticate before they'll be allowed to surf beyond the proxy. This allows an organization to tightly control network access. In addition, authentication proxies can be used to secure Intranet servers that don't have the capability to enforce authentication themselves.
To view the current proxy cache, use the following show command:
Router1#show ip auth-proxy cache Authentication Proxy Cache Client Name ijbrown, Client IP 172.25.1.52, Port 4224, timeout 60, Time Remaining 53, state ESTAB Router1#
In this example, we can see that one user, ijbrown, has been authenticated successfully and is currently active. We can also see that the default inactivity timer is set to 60 minutes, and that our user currently has 53 minutes remaining until he'll be forced to authenticate again.
To manually force all users to authenticate again, use the following clear command:
Router1#clear ip auth-proxy cache * Router1#
You can view the authentication proxy's configuration by using the following show command:
Router1#show ip auth-proxy configuration Authentication global cache time is 60 minutes Authentication global absolute time is 0 minutes Authentication Proxy Watch-list is disabled Authentication Proxy Rule Configuration Auth-proxy name HTTPPROXY http list not specified inactivity-timer 60 minutes Router1#
For our example, we used local authentication, which is sufficient for a small company or installation; however, for larger organizations you can also configure the authentication server to use either RADIUS or TACACS to authenticate users.
To configure an authentication proxy server with TACACS support, use the following set of commands:
Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#aaa new-model Router1(config)#aaa authorization auth-proxy default group tacacs Router1(config)#tacacs-server host 172.25.5.5 Router1(config)#tacacs-server key cisco Router1(config)#ip http server Router1(config)#ip http authentication aaa Router1(config)#ip auth-proxy name TESTPROXY http Router1(config)#interface FastEthernet0/0 Router1(config-if)#ip auth-proxy TESTPROXY Router1(config-if)#end Router1#
In this example, authentication will be performed by the TACACS server. Please see Chapter 4 for more information on TACACS.
See Also
Chapter 4