06-05-2008 01:03 AM - edited 02-21-2020 10:21 AM
Hello,
I am trying to get http authentication proxy to work together with vpn client.
I think I might have misunderstood how it is supposed to work, because in with my configuration, once the vpn tunnel is established, the user already has full access to all internal networks. I have tried to follow the examples in
(auth-proxy with vpn and firewall no NAT)
and
(auth-proxy with vpn and firewall and NAT)
I am trying from a laptop on 172.16.2.1
connecting to router interface on 172.16.1.234. The vpnclients gets an IP address from pool 172.18.4.0/24.
Accesslist 115 denies 172.16.2.1 and 172.18.4.0/24 explicitly, but once the vpn tunnel is up I can already ping the internal address 192.168.102.1. What am I getting wrong?
Here is my setup:
Laptop -- Router1 -- Router2 -- 182.169.102.1
aaa authentication login default group radius local
aaa authentication login
CLIENTuserauthen group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network CLIENTgroupauthor local
aaa authorization auth-proxy default group radius
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group CLIENTgroup
key halodri
dns 172.16.1.1 172.16.5.1
wins 172.16.1.1 172.16.5.1
domain lco.gtn
pool CLIENTpool
crypto isakmp profile CLIENTprof
match identity group CLIENTgroup
client authentication list CLIENTuserauthen
isakmp authorization list CLIENTgroupauthor
client configuration address respond
!
!
crypto ipsec transform-set CLIENTset esp-3des esp-md5-hmac
!
crypto dynamic-map CLIENTdynmap 10
set transform-set CLIENTset
set isakmp-profile CLIENTprof
reverse-route
crypto map VPNMAP 100 ipsec-isakmp dynamic CLIENTdynmap
interface GigabitEthernet0/0
description Outside Interface
ip address 172.16.1.234 255.255.255.0
ip access-group 115 in
ip nat outside
ip auth-proxy auth_proxy_rule_http
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
interface GigabitEthernet0/1
ip address 192.168.25.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool CLIENTpool 172.18.4.1 172.18.4.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 172.16.0.0 255.255.255.0 GigabitEthernet0/1
ip route 172.16.2.0 255.255.255.0 172.16.1.201
ip route 192.168.101.0 255.255.255.0 GigabitEthernet0/1
ip route 192.168.102.0 255.255.255.0 GigabitEthernet0/1
ip http server
ip http access-class 10
ip http authentication aaa
ip http secure-server
logging trap debugging
logging facility local3
logging 192.168.102.1
access-list 10 remark http server needed by auth-proxy, but we deny access to http server itself
access-list 10 deny any
access-list 105 remark -- end route-map nonat list
access-list 115 remark --- block certain hosts for auth-proxy testing ---
access-list 115 permit esp any any log-input
access-list 115 permit udp any any eq isakmp log-input
access-list 115 permit ip host 172.16.1.1 any log-input
access-list 115 permit ip host 172.16.1.75 any log-input
access-list 115 permit ip host 172.16.1.83 any log-input
access-list 115 deny ip host 172.16.1.74 any
access-list 115 deny ip host 172.16.2.1 any
access-list 115 deny ip 172.18.4.0 0.0.0.255 any
access-list 115 permit ip any any
Thanks,
Doro
06-11-2008 06:11 AM
Authentication proxy provides dynamic, per-user authentication and authorization, authenticating users against industry standard TACACS+ and RADIUS authentication protocols. Authenticating and authorizing connections by user provides more robust protection against network attacks.
Refer to the Cisco IOS Security Configuration Guide, Release 12.1 for more information on configuring authentication proxy:
http://www.cisco.com/en/US/docs/ios/12_1/security/configuration/guide/scdauthp.html
06-17-2008 06:46 AM
I have read that guide before, but it says it that auth proxy works with vpn and that
"
If a VPN client initiates an HTTP connection, the authentication proxy first checks for prior client authentication. If the client is authenticated, authorized traffic is permitted. If the client is not authenticated, the HTTP request triggers the authentication proxy, and the user is prompted for a username and password.
If the user authentication is successful, the authentication proxy retrieves the user profile from the AAA server. The source address in the user profile entries is replaced with the IP address of the authenticated VPN client from the decrypted packet.
"
The only way I could make an impact with auth proxy on the vpn behaviour was when I configured a split-tunnel rule for the vpnclient which points only sends traffic to a non-existent internal network via the vpntunnel. Only then would auth-proxy insert additional rules that allow access to more destinations.
As VPN without split-tunnel already allows access to all destinations I don't see how
auth-proxy can make a difference
Doro
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: