May 31

Introduction

With Authentication Proxy, users can log into the network or access the Internet via HTTP.
User profiles are automatically obtained from a server TACACS +, which we assume is already configured. (Cisco Secure Access Control Server)
It is assumed that the server TACACS + is the same LAN client and that a user is configured CSACS Default Group, with username and password.

Configure AAA

To configure AAA, the steps are:

a. On the router in global configuration mode:
Router # configure terminal

b. Enable AAA.
Router (config) # aaa new-model

c. Specify the authentication protocol (we choose TACACS +, here you can list all modes of authentication appropriate, from the local to the RADIUS, etc.).
Router (config) # aaa authentication login default group TACACS +

d. Specify the authentication protocol (TACACS + here is the best choice for the excellent granularity allows. The other possibility is RADIUS)
Router (config) # aaa authorization auth-proxy default group TACACS +

e. Define the TACACS + server and its key (set to compatibility with the CSACS).
Router (config) # TACACS-server host XXX.XXX.XXX.XXX (IP address of the server TACACS +)
Router (config) # TACACS-server CHIAVESEGRETA key (the key preset on serverTACACS + and on this router)

Define the ACL allowing traffic TACACS +

a. Designing a ACL that allows traffic between the TACACS + authentication server and the router (internal interface), allowing the ICMP outbound traffic and to base the access control (CBAC) as HTTP and FTP:
Router (config) # access-list 101 permit tcp host eq IPADDRSTACACS TACACS + host IPADDRSROUTER
Router (config) # access-list 101 permit icmp any any
Router (config) # access-list 101 permit tcp eq ftp IPRETEINTERNA WILDMASK Any
Router (config) # access-list 101 permit tcp IPRETEINTERNA WILDMASK Any eq www
Router (config) # access-list 101 deny ip any any (ok, not needed, but not hurt)

b. We must now define an ACL on the interface output, which blocks incoming traffic (otherwise weaklings is a firewall)
Router (config) # access-list 102 deny ip any any

Configuring Authentication Proxy

a. Define a rule for the proxy authentication
RouterP (config) # ip auth-proxy Name RULE http auth-cache-time 5

b. Apply the rule to the internal interface, one from which users will be authenticated, suppose the FastEthernet 0 / 0:
Router (config) # interface fastethernet 0 / 0
Router (config-if) # ip auth-proxy RULE
Router (config-if) # ip access-group 101 in
Router (config-if) # exit

c. Apply the ACL all Interface external:
Router (config-if) # interface fastethernet 0 / 1
Router (config-if) # ip access-group 102 in

It’s all the access-list 102 is changed dynamically by the auth-proxy rule, once the TACACS + server will return an authorization profile.

Useful commands
a. To clear the cache of the proxy:
RouterP # clear ip auth-proxy cache *

b. To verify the configuration of proxy authentication
Router # show ip auth-proxy cache

Posted in Security |

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Designed By :Xperwebbuilder.com  All Right Reserved