Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
5
Helpful
4
Replies

local auth-proxy authentication

Go to solution
jaregalado
Level 1
Level 1

‎05-03-2006 05:10 PM - edited ‎02-21-2020 10:15 AM

Hi,

Does auth-proxy authentication work with local aaa usernames on a Cisco router or is a Radius / Tacacs+ server mandatory for this task ?

I´m trying to limit web access on a branch office router without resorting to a centralized proxy-server on the main office.

Thanks for your help.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bobby Thekkekandam
Cisco Employee
Cisco Employee

‎05-05-2006 07:27 AM

Hi,

You'll need a RADIUS/ACS server for this feature. See:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfauthp.htm

"The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access were associated with a user IP address, or a single security policy had to be applied to an entire user group or subnetwork. Now, users can be identified and authorized on the basis of their per-user policy. Tailoring of access privileges on an individual basis is possible, as opposed to applying a general policy across multiple users.

With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, and their specific access profiles are automatically retrieved and applied from a CiscoSecure ACS, or other RADIUS, or TACACS+ authentication server. The user profiles are active only when there is active traffic from the authenticated users."

HTH,

Bobby

*Please rate helpful posts.

View solution in original post

4 Replies 4

Go to solution
Bobby Thekkekandam
Cisco Employee
Cisco Employee

‎05-05-2006 07:27 AM

Hi,

You'll need a RADIUS/ACS server for this feature. See:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfauthp.htm

"The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access were associated with a user IP address, or a single security policy had to be applied to an entire user group or subnetwork. Now, users can be identified and authorized on the basis of their per-user policy. Tailoring of access privileges on an individual basis is possible, as opposed to applying a general policy across multiple users.

With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, and their specific access profiles are automatically retrieved and applied from a CiscoSecure ACS, or other RADIUS, or TACACS+ authentication server. The user profiles are active only when there is active traffic from the authenticated users."

HTH,

Bobby

*Please rate helpful posts.

Go to solution
jaregalado
Level 1
Level 1
In response to Bobby Thekkekandam

‎05-05-2006 09:51 AM

Thanks, that answers my question.

Regards.

0 Helpful

Go to solution
ryancolson
Level 1
Level 1
In response to jaregalado

‎06-28-2008 07:18 PM

Actually this is not 100% true. I have tested this that you can use auth-proxy with a local database. I cannot figure out however how you can define what ACLs are applied after authentication. Right now, once you authenticate, you have full outbound access. This is on a 1721 running 12.4 code.

0 Helpful

Go to solution
mdong
Level 1
Level 1
In response to ryancolson

‎09-24-2008 04:29 PM

Yes, Indeed it works with local authentication, but does anyone know how to configure the dynamic acl?

0 Helpful
Customers Also Viewed These Support Documents