authentication proxy with vpn client question

Unanswered Question
Jun 5th, 2008

Hello,

I am trying to get http authentication proxy to work together with vpn client.

I think I might have misunderstood how it is supposed to work, because in with my configuration, once the vpn tunnel is established, the user already has full access to all internal networks. I have tried to follow the examples in

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008017b2a4.shtml

(auth-proxy with vpn and firewall no NAT)

and

http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_configuration_example09186a008017ee15.shtml

(auth-proxy with vpn and firewall and NAT)

I am trying from a laptop on 172.16.2.1

connecting to router interface on 172.16.1.234. The vpnclients gets an IP address from pool 172.18.4.0/24.

Accesslist 115 denies 172.16.2.1 and 172.18.4.0/24 explicitly, but once the vpn tunnel is up I can already ping the internal address 192.168.102.1. What am I getting wrong?

Here is my setup:

Laptop -- Router1 -- Router2 -- 182.169.102.1

aaa authentication login default group radius local

aaa authentication login

CLIENTuserauthen group radius

aaa authorization exec default group radius if-authenticated

aaa authorization network CLIENTgroupauthor local

aaa authorization auth-proxy default group radius

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group CLIENTgroup

key halodri

dns 172.16.1.1 172.16.5.1

wins 172.16.1.1 172.16.5.1

domain lco.gtn

pool CLIENTpool

crypto isakmp profile CLIENTprof

match identity group CLIENTgroup

client authentication list CLIENTuserauthen

isakmp authorization list CLIENTgroupauthor

client configuration address respond

!

!

crypto ipsec transform-set CLIENTset esp-3des esp-md5-hmac

!

crypto dynamic-map CLIENTdynmap 10

set transform-set CLIENTset

set isakmp-profile CLIENTprof

reverse-route

crypto map VPNMAP 100 ipsec-isakmp dynamic CLIENTdynmap

interface GigabitEthernet0/0

description Outside Interface

ip address 172.16.1.234 255.255.255.0

ip access-group 115 in

ip nat outside

ip auth-proxy auth_proxy_rule_http

ip virtual-reassembly

duplex auto

speed auto

crypto map VPNMAP

interface GigabitEthernet0/1

ip address 192.168.25.254 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip local pool CLIENTpool 172.18.4.1 172.18.4.100

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 172.16.1.254

ip route 172.16.0.0 255.255.255.0 GigabitEthernet0/1

ip route 172.16.2.0 255.255.255.0 172.16.1.201

ip route 192.168.101.0 255.255.255.0 GigabitEthernet0/1

ip route 192.168.102.0 255.255.255.0 GigabitEthernet0/1

ip http server

ip http access-class 10

ip http authentication aaa

ip http secure-server

logging trap debugging

logging facility local3

logging 192.168.102.1

access-list 10 remark http server needed by auth-proxy, but we deny access to http server itself

access-list 10 deny any

access-list 105 remark -- end route-map nonat list

access-list 115 remark --- block certain hosts for auth-proxy testing ---

access-list 115 permit esp any any log-input

access-list 115 permit udp any any eq isakmp log-input

access-list 115 permit ip host 172.16.1.1 any log-input

access-list 115 permit ip host 172.16.1.75 any log-input

access-list 115 permit ip host 172.16.1.83 any log-input

access-list 115 deny ip host 172.16.1.74 any

access-list 115 deny ip host 172.16.2.1 any

access-list 115 deny ip 172.18.4.0 0.0.0.255 any

access-list 115 permit ip any any

Thanks,

Doro

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smahbub Wed, 06/11/2008 - 06:11

Authentication proxy provides dynamic, per-user authentication and authorization, authenticating users against industry standard TACACS+ and RADIUS authentication protocols. Authenticating and authorizing connections by user provides more robust protection against network attacks.

Refer to the Cisco IOS Security Configuration Guide, Release 12.1 for more information on configuring authentication proxy:

http://www.cisco.com/en/US/docs/ios/12_1/security/configuration/guide/scdauthp.html

lascumbres Tue, 06/17/2008 - 06:46

I have read that guide before, but it says it that auth proxy works with vpn and that

"

If a VPN client initiates an HTTP connection, the authentication proxy first checks for prior client authentication. If the client is authenticated, authorized traffic is permitted. If the client is not authenticated, the HTTP request triggers the authentication proxy, and the user is prompted for a username and password.

If the user authentication is successful, the authentication proxy retrieves the user profile from the AAA server. The source address in the user profile entries is replaced with the IP address of the authenticated VPN client from the decrypted packet.

"

The only way I could make an impact with auth proxy on the vpn behaviour was when I configured a split-tunnel rule for the vpnclient which points only sends traffic to a non-existent internal network via the vpntunnel. Only then would auth-proxy insert additional rules that allow access to more destinations.

As VPN without split-tunnel already allows access to all destinations I don't see how

auth-proxy can make a difference

Doro

Actions

This Discussion