Local AAA server configuration for https authentication proxy

Unanswered Question
Nov 24th, 2009
User Badges:

I have the following scenario:I require to set up a transparent firewall using a Cisco 1841 router with 2 Fast Ethernet interfaces with IOS version 12.4(15)T9 Advanced Security.The project also calls for authenticating users using the ip auth-proxy feature.The users should use https to connect to an internal server.The IP addresses of the users are dynamic (i.e. they may authenticate from the Internet).I have set up successfully the ip auth-proxy feature using an external ACS server using TACACS+.However, i want to use the AAA local server feature in order to implement this project instead of using an external AAA server.

The question is how to configure the local AAA attributes in order to have the same functionality as when using an external AAA server(i.e dynamic proxy ACL entries permitting specific IP addresses and protocols) without using one(i.e using only the local AAA server feature of Cisco IOS).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Wed, 11/25/2009 - 05:01
User Badges:
  • Red, 2250 points or more

AFAIK, the auth-proxy feature is only supported using an external AAA. If you need to use the local dat

abase, you have to look at the lock-n-key feature, please see these links:


http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_authen_prxy.html#wp1054354


http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_lock_key_secrty_ps6350_TSD_Products_Configuration_Guide_Chapter.html


Regards


Farrukh

k.protopapas Wed, 11/25/2009 - 05:22
User Badges:

You probably did not understand that i want to use the authentication proxy feature.I dont want to use lock-and-key.

Farrukh Haroon Fri, 11/27/2009 - 09:46
User Badges:
  • Red, 2250 points or more

Check out the table on the first link comparing auth-proxy and lock-n-key, it clearly states that local authentication is not supported with auth-proxy. this is from Cisco not me

k.protopapas Mon, 11/30/2009 - 00:39
User Badges:

I know about that.But Cisco also states that the Local AAA server can be used instead of an external AAA server.So,stop posting unless you have a solution to my problem.

Actions

This Discussion

Related Content