05-03-2006 05:10 PM - edited 02-21-2020 10:15 AM
Hi,
Does auth-proxy authentication work with local aaa usernames on a Cisco router or is a Radius / Tacacs+ server mandatory for this task ?
I´m trying to limit web access on a branch office router without resorting to a centralized proxy-server on the main office.
Thanks for your help.
Solved! Go to Solution.
05-05-2006 07:27 AM
Hi,
You'll need a RADIUS/ACS server for this feature. See:
"The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access were associated with a user IP address, or a single security policy had to be applied to an entire user group or subnetwork. Now, users can be identified and authorized on the basis of their per-user policy. Tailoring of access privileges on an individual basis is possible, as opposed to applying a general policy across multiple users.
With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, and their specific access profiles are automatically retrieved and applied from a CiscoSecure ACS, or other RADIUS, or TACACS+ authentication server. The user profiles are active only when there is active traffic from the authenticated users."
HTH,
Bobby
*Please rate helpful posts.
05-05-2006 07:27 AM
Hi,
You'll need a RADIUS/ACS server for this feature. See:
"The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access were associated with a user IP address, or a single security policy had to be applied to an entire user group or subnetwork. Now, users can be identified and authorized on the basis of their per-user policy. Tailoring of access privileges on an individual basis is possible, as opposed to applying a general policy across multiple users.
With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, and their specific access profiles are automatically retrieved and applied from a CiscoSecure ACS, or other RADIUS, or TACACS+ authentication server. The user profiles are active only when there is active traffic from the authenticated users."
HTH,
Bobby
*Please rate helpful posts.
05-05-2006 09:51 AM
Thanks, that answers my question.
Regards.
06-28-2008 07:18 PM
Actually this is not 100% true. I have tested this that you can use auth-proxy with a local database. I cannot figure out however how you can define what ACLs are applied after authentication. Right now, once you authenticate, you have full outbound access. This is on a 1721 running 12.4 code.
09-24-2008 04:29 PM
Yes, Indeed it works with local authentication, but does anyone know how to configure the dynamic acl?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide