Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to configure authentication proxy on a router using a local AAA database

What is AAA?

An AAA server is a server program that handles user requests for access to computer resources and, for an enterprise, provides authentication, authorization, and accounting (AAA) services. The AAA server typically interacts with network access and gateway servers and with databases and directories containing user information. The current standard by which devices or applications communicate with an AAA server is the Remote Authentication Dial-In User Service (RADIUS).

Core issue

Authentication proxy (auth-proxy) is used to authenticate inbound or outbound users, or both. These users are normally blocked by an access list. However, with auth-proxy the users bring up a browser to go through the firewall and authenticate on a TACACS+ or RADIUS server. The server passes additional access list entries down to the router to allow the users through after authentication.

The authentication proxy supports Telnet, HTTP, and FTP services.

Note: The authentication proxy service for secure shell (SSH) connections is not supported.


This configuration example shows how to configure the authentication proxy service for Telnet/HTTP using a local AAA database on routers:

aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization auth-proxy default local

aaa attribute list cisco
attribute type priv-lvl 15 service auth-proxy protocol ip
ip auth-proxy name cisco telnet inactivity-time 60
ip auth-proxy name security http inactivity-time 60
username cisco privilege 15 password 0 cisco
username cisco aaa attribute list cisco
interface FastEthernet0/0
ip address x.x.x.x
ip auth-proxy security
duplex auto
speed auto
interface FastEthernet1/0
ip address y.y.y.y
ip auth-proxy cisco
duplex auto
speed auto
ip http server
ip http authentication local
no ip http secure-server

Note: A router can have only one authentication proxy service applied per interface (for example, either Telnet or HTTP). In this example configuration, the authentication proxy Telnet service is applied on interface fa1/0 and the HTTP service is applied on fa0/0.

Refer to the Firewall Authentication Proxy for FTP and Telnet Sessions section of Configuring Authentication Proxy in IOS  Firewall.

Refer to Auth-proxy Authentication Outbound (Cisco IOS Firewall and NAT) Configuration for more information.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:03 PM
Updated by:
Labels (1)
Cisco Employee

Nice example. I've added this to have ACLs working

aaa authentication login default local

aaa authorization auth-proxy default local

aaa attribute list authproxylist

attribute type priv-lvl 15

attribute type proxyacl "permit tcp any any" service auth-proxy

attribute type proxyacl "permit udp any any" service auth-proxy

username proxyuser password 0 cisco

username proxyuser aaa attribute list authproxylist