How to configure authentication proxy on a router using a local AAA database

Document

Jun 22, 2009 4:03 PM
Jun 22nd, 2009

What is AAA?

An AAA server is a server program that handles user requests for access to computer resources and, for an enterprise, provides authentication, authorization, and accounting (AAA) services. The AAA server typically interacts with network access and gateway servers and with databases and directories containing user information. The current standard by which devices or applications communicate with an AAA server is the Remote Authentication Dial-In User Service (RADIUS).

Core issue

Authentication proxy (auth-proxy) is used to authenticate inbound or outbound users, or both. These users are normally blocked by an access list. However, with auth-proxy the users bring up a browser to go through the firewall and authenticate on a TACACS+ or RADIUS server. The server passes additional access list entries down to the router to allow the users through after authentication.

The authentication proxy supports Telnet, HTTP, and FTP services.

Note: The authentication proxy service for secure shell (SSH) connections is not supported.

Resolution

This configuration example shows how to configure the authentication proxy service for Telnet/HTTP using a local AAA database on routers:

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization auth-proxy default local

aaa attribute list cisco
attribute type priv-lvl 15 service auth-proxy protocol ip
!
ip auth-proxy name cisco telnet inactivity-time 60
ip auth-proxy name security http inactivity-time 60
!
username cisco privilege 15 password 0 cisco
username cisco aaa attribute list cisco
!
interface FastEthernet0/0
ip address x.x.x.x 255.255.255.224
ip auth-proxy security
duplex auto
speed auto
!
interface FastEthernet1/0
ip address y.y.y.y 255.255.255.0
ip auth-proxy cisco
duplex auto
speed auto
!
ip http server
ip http authentication local
no ip http secure-server

Note: A router can have only one authentication proxy service applied per interface (for example, either Telnet or HTTP). In this example configuration, the authentication proxy Telnet service is applied on interface fa1/0 and the HTTP service is applied on fa0/0.

Refer to the Firewall Authentication Proxy for FTP and Telnet Sessions section of Configuring Authentication Proxy in IOS  Firewall.

Refer to Auth-proxy Authentication Outbound (Cisco IOS Firewall and NAT) Configuration for more information.

Average Rating: 5 (1 ratings)

Comments

bmigette Wed, 09/12/2012 - 05:10

Nice example. I've added this to have ACLs working

aaa authentication login default local

aaa authorization auth-proxy default local

aaa attribute list authproxylist

attribute type priv-lvl 15

attribute type proxyacl "permit tcp any any" service auth-proxy

attribute type proxyacl "permit udp any any" service auth-proxy

username proxyuser password 0 cisco

username proxyuser aaa attribute list authproxylist

Actions

Login or Register to take actions

This Document

Posted June 22, 2009 at 4:03 PM
Stats:
Comments:1 Avg. Rating:5
Views:7983 Contributors:1
Shares:0

Related Content

Documents Leaderboard