Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
15339
Views
5
Helpful
1
Comments

How to configure authentication proxy on a router using a local AAA database

TCC_2
Level 10
Level 10

‎06-22-2009 04:03 PM - edited ‎03-08-2019 06:11 PM

What is AAA?

An AAA server is a server program that handles user requests for access to computer resources and, for an enterprise, provides authentication, authorization, and accounting (AAA) services. The AAA server typically interacts with network access and gateway servers and with databases and directories containing user information. The current standard by which devices or applications communicate with an AAA server is the Remote Authentication Dial-In User Service (RADIUS).

Core issue

Authentication proxy (auth-proxy) is used to authenticate inbound or outbound users, or both. These users are normally blocked by an access list. However, with auth-proxy the users bring up a browser to go through the firewall and authenticate on a TACACS+ or RADIUS server. The server passes additional access list entries down to the router to allow the users through after authentication.

The authentication proxy supports Telnet, HTTP, and FTP services.

Note: The authentication proxy service for secure shell (SSH) connections is not supported.

Resolution

This configuration example shows how to configure the authentication proxy service for Telnet/HTTP using a local AAA database on routers:

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization auth-proxy default local

aaa attribute list cisco
attribute type priv-lvl 15 service auth-proxy protocol ip
!
ip auth-proxy name cisco telnet inactivity-time 60
ip auth-proxy name security http inactivity-time 60
!
username cisco privilege 15 password 0 cisco
username cisco aaa attribute list cisco
!
interface FastEthernet0/0
ip address x.x.x.x 255.255.255.224
ip auth-proxy security
duplex auto
speed auto
!
interface FastEthernet1/0
ip address y.y.y.y 255.255.255.0
ip auth-proxy cisco
duplex auto
speed auto
!
ip http server
ip http authentication local
no ip http secure-server

Note: A router can have only one authentication proxy service applied per interface (for example, either Telnet or HTTP). In this example configuration, the authentication proxy Telnet service is applied on interface fa1/0 and the HTTP service is applied on fa0/0.

Refer to the Firewall Authentication Proxy for FTP and Telnet Sessions section of Configuring Authentication Proxy in IOS  Firewall.

Refer to Auth-proxy Authentication Outbound (Cisco IOS Firewall and NAT) Configuration for more information.

Labels:
Comments
Bastien Migette
Cisco Employee
Cisco Employee
‎09-12-2012 05:10 AM

Nice example. I've added this to have ACLs working

aaa authentication login default local

aaa authorization auth-proxy default local

aaa attribute list authproxylist

attribute type priv-lvl 15

attribute type proxyacl "permit tcp any any" service auth-proxy

attribute type proxyacl "permit udp any any" service auth-proxy

username proxyuser password 0 cisco

username proxyuser aaa attribute list authproxylist

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents