Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

IOS: Auth-proxy with TACACS

 

 

Documentation

 

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

 

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/iosfw2_1.html#wp12282

 

Prerequisites

For the authentication proxy to work properly, the client browser must be running the following browser software:

  • Microsoft Internet Explorer 3.0 or later
  • Netscape Navigator 3.0 or later

 

Goal

The goal is to authenticate the user (192.168.2.10) to R2 (100.110.10.50) via http upon which the tacacs server should add a dynamic access-list to the ACL applied on R1's F0/0 interface and allow the user (192.168.2.10) to ping R2 (100.110.10.50).

 

Topology

togology.JPG

How auth-proxy works

The Cisco IOS Firewall authentication proxy  feature allows network administrators to apply specific security policies on a per-user basis.

 

  • auth-proxy intercepts the specified traffic through the router
  • forwards to ACS for authentication
  • ACS authenticates the user and also pushes allowed access-list to the router
  • User is allowed to access the resources based on the dynamic access-lists pushed down to the router by ACS

Assumption

This excercise will assume that all routing is in place and there is proper route from the 192.168.2.0/24 to the 100.110.10.0/24 network. Make sure you can ping end to end.

 

Step by Step Configuration (R1)

Deny the flow that has to be dynamically allowed by the ACS server inbound on F0/0 on R1

ip access-list extended 153
10 deny icmp host 192.168.1.10 host 100.110.10.50
20 permit ip any any

 

interface f0/0
ip access-group 153 in

Configure aaa on the router - also protect the console

aaa new-model
aaa authentication login default group tacacs+
aaa authentication login FREE none
aaa authorization auth-proxy default group tacacs+
optional: aaa authentication login AUTH_PROXY group tacacs+

 

line con 0
login authentication FREE

Configure tacacs server

tacacs-server host 192.168.2.101 key cisco

 

Enable http server on R1 and configure authentication via aaa

ip http server
ip http authentication aaa

optional: ip http authentication aaa login-authentication AUTH_PROXY

 

Create auth-proxy instance to intercept interesting traffic

ip access-l ext AUTH-PROXY-ACL
10 permit tcp host 192.168.2.10 host 100.110.10.50 eq www log (log keyword is optional)
ip auth-proxy name AUTHP http list AUTH-PROXY-ACL

 

Finally apply auth-proxy to the interface (in this case F0/0 on R1)

 

interface FastEthernet0/0
ip auth-proxy AUTHP

Configure the ACS server

create R1 as a AAA client on the ACS server

R1-Client.jpg

create the user

user-setup.jpg

enable auth-proxy service (under the Interface configuration)

enable-auth-proxy-service.jpg

configure proxy acl under the group setup for the user (make sure the source is "any")

configure-auth-proxy-acl.jpg

Test from the Router R1

R1#test aaa group tacacs+ user-5.3 cisco legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

Test from the User PC

Authenticating via the browser

user-pc-auth.jpg

Auth result
auth-success.jpg

Verify the addition of dynamic ACL on the router

R1#sh access-l 153
Extended IP access list 153
      permit icmp host 192.168.2.10 host 100.110.10.50 (un-numbered dynamic acl added)
10 deny icmp host 192.168.1.10 host 100.110.10.50 log
20 permit ip any any (15 matches)

Final Configuration Section:

aaa authentication login default group tacacs+
aaa authentication login FREE none
aaa authorization auth-proxy default group tacacs+
!
ip auth-proxy name AUTHP http inactivity-time 60 list AUTH-PROXY-ACL
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
ip access-group 153 in
ip auth-proxy AUTHP
!
ip http server
ip http authentication aaa
!
access-list 153 deny   icmp host 192.168.2.10 host 100.110.10.50
access-list 153 permit ip any any
!
ip access-list extended AUTH-PROXY-ACL
permit tcp host 192.168.2.10 host 100.110.10.50 eq www log
!
line con 0
login authentication FREE

 

Debugs and show commands:


debug TACACS+ authentication
debug TACACS+ authorization
debug AAA Authentication
debug AAA Authorization

 

show access-list 153
show ip auth-proxy cache
clear ip auth-proxy cache *

 

Here are the outputs

debugs output:

    * Mar 13 10:58:49.969: %SEC-6-IPACCESSLOGP: list AUTH-PROXY-ACL permitted tcp 192.168.2.10(3254) -> 100.110.10.50(80), 1 packet
    * Mar 13 10:58:49.973: AAA: parse name=FastEthernet0/0 idb type=-1 tty=-1
    * Mar 13 10:58:49.973: AAA: name=FastEthernet0/0 flags=0x15 type=14 shelf=0 slot=0 adapter=0 port=0 channel=0
    * Mar 13 10:58:49.973: AAA: parse name=<no string> idb type=-1 tty=-1
    * Mar 13 10:58:49.973: AAA/MEMORY: create_user (0x49213158) user='NULL' ruser='NULL' ds0=0 port='FastEthernet0/0' rem_addr='192.168.2.10' authen_type=ASCII service=LOGIN priv=0 initial_task_id='0', vrf= (id=0)
    * Mar 13 10:58:49.973: AAA/AUTHEN/START (2787625091): port='FastEthernet0/0' list='default' action=LOGIN service=LOGIN
    * Mar 13 10:58:49.973: AAA/AUTHEN/START (2787625091): found list default
    * Mar 13 10:58:49.973: AAA/AUTHEN/START (2787625091): Method=tacacs+ (tacacs+)
    * Mar 13 10:58:49.977: TAC+: send AUTHEN/START packet ver=192 id=-1507342205
    * Mar 13 10:58:50.181: TAC+: ver=192 id=-1507342205 received AUTHEN status = GETUSER
    * Mar 13 10:58:50.181: AAA/AUTHEN(2787625091): Status=GETUSER
    * Mar 13 10:58:50.181: AAA/AUTHEN/CONT (2787625091): continue_login (user='(undef)')
    * Mar 13 10:58:50.181: AAA/AUTHEN(2787625091): Status=GETUSE
    * Mar 13 10:58:50.181: AAA/AUTHEN(2787625091): Method=tacacs+ (tacacs+)
    * Mar 13 10:58:50.181: TAC+: send AUTHEN/CONT packet id=-1507342205
    * Mar 13 10:58:50.381: TAC+: ver=192 id=-1507342205 received AUTHEN status = GETPASS
    * Mar 13 10:58:50.381: AAA/AUTHEN(2787625091): Status=GETPASS
    * Mar 13 10:58:50.381: AAA/AUTHEN/CONT (2787625091): continue_login (user='user-5.3')
    * Mar 13 10:58:50.381: AAA/AUTHEN(2787625091): Status=GETPASS
    * Mar 13 10:58:50.381: AAA/AUTHEN(2787625091): Method=tacacs+ (tacacs+)
    * Mar 13 10:58:50.381: TAC+: send AUTHEN/CONT packet id=-1507342205
    * Mar 13 10:58:50.581: TAC+: ver=192 id=-1507342205 received AUTHEN status = PASS
    * Mar 13 10:58:50.581: AAA/AUTHEN(2787625091): Status=PASS
    * Mar 13 10:58:50.581: FastEthernet0/0 AAA/AUTHOR/HTTP(1387380163): Port='FastEthernet0/0' list='default' service=AUTH-PROXY
    * Mar 13 10:58:50.581: AAA/AUTHOR/HTTP: FastEthernet0/0(1387380163) user='user-5.3'Mar 13 10:58:50.581: FastEthernet0/0 AAA/AUTHOR/HTTP(1387380163): send AV service=auth-proxy
    * Mar 13 10:58:50.581: FastEthernet0/0 AAA/AUTHOR/HTTP(1387380163): send AV cmd*
    * Mar 13 10:58:50.581: FastEthernet0/0 AAA/AUTHOR/HTTP(1387380163): found list "default"
    * Mar 13 10:58:50.581: FastEthernet0/0 AAA/AUTHOR/HTTP(1387380163): Method=tacacs+ (tacacs+)
    * Mar 13 10:58:50.581: AAA/AUTHOR/TAC+: (1387380163): user=user-5.3
    * Mar 13 10:58:50.581: AAA/AUTHOR/TAC+: (1387380163): send AV service=auth-proxy
    * Mar 13 10:58:50.581: AAA/AUTHOR/TAC+: (1387380163): send AV cmd*
    * Mar 13 10:58:50.785: TAC+: (1387380163): received author response status = PASS_ADD
    * Mar 13 10:58:50.785: AAA/AUTHOR (1387380163): Post authorization status = PASS_ADD

show command outputs:

 

R1#sh ip auth-proxy cache
Authentication Proxy Cache
Client Name user-5.3, Client IP 192.168.2.10, Port
3254, timeout 60, Time Remaining 60, state ESTAB

 

R1#sh access-l 153
Extended IP access list 153
    permit icmp host 192.168.2.10 host 100.110.10.50 (un-numbered dynamic acl added)
    10 deny icmp host 192.168.1.10 host 100.110.10.50 log
    20 permit ip any any (15 matches)

2559
Views
5
Helpful
0
Comments