Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

local auth-proxy authentication

Hi,

Does auth-proxy authentication work with local aaa usernames on a Cisco router or is a Radius / Tacacs+ server mandatory for this task ?

I´m trying to limit web access on a branch office router without resorting to a centralized proxy-server on the main office.

Thanks for your help.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: local auth-proxy authentication

Hi,

You'll need a RADIUS/ACS server for this feature. See:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfauthp.htm

"The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access were associated with a user IP address, or a single security policy had to be applied to an entire user group or subnetwork. Now, users can be identified and authorized on the basis of their per-user policy. Tailoring of access privileges on an individual basis is possible, as opposed to applying a general policy across multiple users.

With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, and their specific access profiles are automatically retrieved and applied from a CiscoSecure ACS, or other RADIUS, or TACACS+ authentication server. The user profiles are active only when there is active traffic from the authenticated users."

HTH,

Bobby

*Please rate helpful posts.

4 REPLIES
Cisco Employee

Re: local auth-proxy authentication

Hi,

You'll need a RADIUS/ACS server for this feature. See:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfauthp.htm

"The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access were associated with a user IP address, or a single security policy had to be applied to an entire user group or subnetwork. Now, users can be identified and authorized on the basis of their per-user policy. Tailoring of access privileges on an individual basis is possible, as opposed to applying a general policy across multiple users.

With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, and their specific access profiles are automatically retrieved and applied from a CiscoSecure ACS, or other RADIUS, or TACACS+ authentication server. The user profiles are active only when there is active traffic from the authenticated users."

HTH,

Bobby

*Please rate helpful posts.

New Member

Re: local auth-proxy authentication

Thanks, that answers my question.

Regards.

New Member

Re: local auth-proxy authentication

Actually this is not 100% true. I have tested this that you can use auth-proxy with a local database. I cannot figure out however how you can define what ACLs are applied after authentication. Right now, once you authenticate, you have full outbound access. This is on a 1721 running 12.4 code.

New Member

Re: local auth-proxy authentication

Yes, Indeed it works with local authentication, but does anyone know how to configure the dynamic acl?

165
Views
5
Helpful
4
Replies
CreatePlease login to create content