Finding Feature Information

Prerequisites for Configuring Authentication Proxy

Restrictions for Configuring Authentication Proxy

Information About Configuring Authentication Proxy

• How Authentication Proxy Works
• Secure Authentication
• Using Authentication Proxy
• When to Use the Authentication Proxy
• Applying Authentication Proxy
• Operation with One-Time Passwords
• Compatibility with Other Security Features
• Compatibility with AAA Accounting
• Protection Against Denial-of-Service Attacks
• Risk of Spoofing with Authentication Proxy
• Comparison with the Lock-and-Key Feature
• AAA Fail Policy
• Customization of the Authentication Proxy Web Pages

How Authentication Proxy Works

When a user initiates an HTTP session through the firewall, the authentication proxy is triggered. The authentication proxy first checks to see if the user has been authenticated. If a valid authentication entry exists for the user, the connection is completed with no further intervention by the authentication proxy. If no entry exists, the authentication proxy responds to the HTTP connection request by prompting the user for a username and password.

The figure below illustrates the authentication proxy HTML login page.

Figure 1. Authentication Proxy Login Page

Users must successfully authenticate themselves with the authentication server by entering a valid username and password.

If the authentication succeeds, the user’s authorization profile is retrieved from the AAA server. The authentication proxy uses the information in this profile to create dynamic access control entries (ACEs) and add them to the inbound (input) access control list (ACL) of an input interface and to the outbound (output) ACL of an output interface, if an output ACL exists at the interface. This process enables the firewall to allow authenticated users access to the network as permitted by the authorization profile. For example, a user can initiate a Telnet connection through the firewall if Telnet is permitted in the user’s profile.

If the authentication fails, the authentication proxy reports the failure to the user and prompts the user with multiple login retries. If the user fails to authenticate after five attempts, the user must wait two minutes and initiate another HTTP session to trigger authentication proxy.

Note	The number of login retries is configurable. The default number of retries is five.

The login page is refreshed each time the user makes requests to access information from a web server.

The authentication proxy customizes each of the access list entries in the user profile by replacing the source IP addresses in the downloaded access list with the source IP address of the authenticated host.

At the same time that dynamic ACEs are added to the interface configuration, the authentication proxy sends a message to the user confirming that the login was successful. The figure below illustrates the login status in the HTML page.

Figure 2. Authentication Proxy Login Status Message

The authentication proxy sets up an inactivity (idle) timer for each user profile. As long as there is activity through the firewall, new traffic initiated from the user’s host does not trigger the authentication proxy, and authorized user traffic is permitted access through the firewall.

If the idle timer expires, the authentication proxy removes the user’s profile information and dynamic access lists entries. When this happens, traffic from the client host is blocked. The user must initiate another HTTP connection to trigger the authentication proxy.

Secure Authentication

The authentication proxy uses JavaScript to help achieve secure authentication using the client browser. Secure authentication prevents a client from mistakenly submitting a username and password to a network web server other than the authentication proxy router.

• Operation with JavaScript
• Operation Without JavaScript

Operation with JavaScript

Users should enable JavaScript on the browser prior to initiating an HTTP connection. With JavaScript enabled on the browser, secure authentication is done automatically, and the user sees the authentication message shown in the Authentication Proxy Login Status Message figure, in the How the Authentication Proxy Works module. The HTTP connection is completed automatically for the user.

Operation Without JavaScript

If the client browser does not support JavaScript, or if site security policy prevents users from enabling JavaScript, any login attempt generates a popup window with instructions for manually completing the connection. The figure below illustrates the authentication proxy login status message with JavaScript disabled on the browser.

Figure 3. Authentication Proxy Login Status Message with JavaScript Disabled

To close this window, click Close on the browser File menu.

After closing the popup window, the user should click Reload (Refresh for Internet Explorer) in the browser window in which the authentication login page is displayed. If the user’s last authentication attempt succeeds, clicking Reload brings up the web page the user is trying to retrieve. If the user’s last attempt fails, clicking Reload causes the authentication proxy to intercept the client HTTP traffic again, prompting the user with another login page that solicits the username and password.

If JavaScript is not enabled, it is strongly recommended that site administrators advise users of the correct procedure for closing the popup window as described in the section Establishing User Connections Without JavaScript.

Applying Authentication Proxy

Apply the authentication proxy in the inbound direction at any interface on the router where you want per-user authentication and authorization. Applying the authentication proxy inbound at an interface causes it to intercept a user’s initial connection request before that request is subjected to any other processing by the firewall. If the user fails to gain authentication with the AAA server, the connection request is dropped.

How you apply the authentication proxy depends on your security policy. For example, you can block all traffic through an interface and enable the authentication proxy feature to require authentication and authorization for all user initiated HTTP connections. Users are authorized for services only after successful authentication with the AAA server.

The authentication proxy feature also allows you to use standard access lists to specify a host or group of hosts whose initial HTTP traffic triggers the proxy.

The figure below shows the authentication proxy applied at the LAN interface with all network users required to be authenticated upon the initial connection (all traffic is blocked at each interface).

Figure 4. Applying the Authentication Proxy at the Local Interface

The figure below shows the authentication proxy applied at the dial-in interface with all network traffic blocked at each interface.

Figure 5. Applying the Authentication Proxy at an Outside Interface

Compatibility with AAA Accounting

Using the authentication proxy, you can generate “start” and “stop” accounting records with enough information to be used for billing and security auditing purposes. Thus, you can monitor the actions of authenticated hosts that use the authentication proxy service.

When an authentication proxy cache and associated dynamic access control lists are created, the authentication proxy will start to track the traffic from the authenticated host. Accounting saves data about this event in a data structure stored with the data of other users. If the accounting start option is enabled, you can generate an accounting record (a “start” record) at this time. Subsequent traffic from the authenticated host will be recorded when the dynamic ACL created by the authentication proxy receives the packets.

When an authentication proxy cache expires and is deleted, additional data, such as elapsed time, is added to the accounting information and a “stop” record is sent to the server. At this point, the information is deleted from the data structure.

The accounting records for the authentication proxy user session are related to the cache and the dynamic ACL usage.

Note	The accounting records must include RADIUS attributes 42, 46, and 47 for both RADIUS and TACACS+.

For more information on RADIUS attributes, see the RADIUS Attributes Configuration Guide.

AAA Fail Policy

The AAA fail policy is a method for allowing a user to connect or to remain connected to the network if the AAA server is not available. If the AAA server cannot be reached when web-based authentication of a client is needed, instead of rejecting the user (that is, not providing the access to the network), an administrator can configure a default AAA fail policy that can be applied to the user.

This policy is advantageous for the following reasons:

• While AAA is unavailable, the user will still have connectivity to the network, although access may be restricted.
• When the AAA server is again available, a user can be revalidated and the user's normal access policies can be downloaded from the AAA server.

Note	When the AAA server is down, the AAA fail policy is applied only if there is no existing policy associated with the user. Typically, if the AAA server is unavailable when a user session requires reauthentication, the policies currently in effect for the user are retained.

While the AAA fail policy is in effect, the session state is maintained as AAA Down.

How to Configure Authentication Proxy

Device> enable

Device# configure terminal

Device(config)# aaa new-model

Device(config)# aaa authentication login default TACACS+ RADIUS

Device(config)# aaa authorization auth-proxy default

Device(config)# aaa accounting auth-proxy default start-stop group tacacs+

Device(config)# tacacs-server host host1

Device(config)# tacacs-server key key1

Device(config)# access-list accesslist1

default authorization = permit
key = cisco
user = newuser1 {
login = cleartext cisco
service = auth-proxy
{
priv-lvl=15
proxyacl#1="permit tcp any any eq 26"
proxyacl#2="permit icmp any host 10.0.0.2”
proxyacl#3="permit tcp any any eq ftp"
proxyacl#4="permit tcp any any eq ftp-data"
proxyacl#5="permit tcp any any eq smtp"
proxyacl#6="permit tcp any any eq telnet"
}
}

default authorization = permit
key = cisco
user = newuser1 {
login = cleartext cisco
service = auth-proxy
{
priv-lvl=15
proxyacl#1="permit tcp any any eq 26"
proxyacl#2="permit icmp any host 10.0.0.2”
proxyacl#3="permit tcp any any eq ftp"
proxyacl#4="permit tcp any any eq ftp-data"
proxyacl#5="permit tcp any any eq smtp"
proxyacl#6="permit tcp any any eq telnet"
}
}

Device> enable

Device# configure terminal

Device# ip http server

Device(config)# ip http access-class 20

Device> enable

Device# configure terminal

Device(config)# ip auth-proxy auth-cache-time 5

Device(config)# ip auth-proxy auth-proxy-banner

Device(config)# ip auth-proxy name HQ_users http

Device(config)# interface Ethernet0/0

Device(config-if)# ip auth-proxy HQ_users http

Verifying Authentication Proxy

• Checking the Authentication Proxy Configuration
• Displaying the User Authentication Entries
• Establishing User Connections with JavaScript
• Establishing User Connections Without JavaScript

Checking the Authentication Proxy Configuration

SUMMARY STEPS

1.    enable


2.    show ip auth-proxy configuration

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	show ip auth-proxy configuration Example: Device# show ip auth-proxy configuration	Displays the authentication proxy configuration.

Example: Checking the Authentication Proxy Configuration

In the following example, the global authentication proxy idle timeout value is set to 60 minutes, the named authentication proxy rule is “pxy”, and the idle timeout value for this named rule is one minute. The display shows that no host list is specified, meaning that all connections initiating HTTP traffic at the interface are subject to the authentication proxy rule.

Device# show ip auth-proxy configuration

Authentication cache time is 60 minutes
Authentication Proxy Rule Configuration
Auth-proxy name pxy
http list not specified auth-cache-time 1 minutes

Displaying the User Authentication Entries

SUMMARY STEPS

1.    enable


2.    show ip auth-proxy cache

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	show ip auth-proxy cache Example: Device# show ip auth-proxy cache	Displays the list of user authentication entries.

Example: Displaying the User Authentication Entries

The authentication proxy cache lists the host IP address, the source port number, the timeout value for the authentication proxy, and the state of the connection. If the authentication proxy state is HTTP_ESTAB, the user authentication was successful.

Device# show ip auth-proxy cache

Authentication Proxy Cache
 Client IP 192.168.25.215 Port 57882, timeout 1, state HTTP_ESTAB

Wait for one minute, which is the timeout value for this named rule, and ask the user to try the connection again. After one minute, the user connection is denied because the authentication proxy has removed the user’s authentication entry and any associated dynamic ACLs. The user is presented with a new authentication login page and must log in again to gain access through the firewall.

Establishing User Connections with JavaScript

To establish user connections using the authentication proxy with JavaScript enabled on the client browser, follow this procedure.

SUMMARY STEPS

1.    From a client host, initiate an HTTP connection through the firewall. This generates the authentication proxy login page.

2.    At the authentication proxy login page, enter a username and password.

3.    Click OK to submit the username and password to the AAA server.

DETAILED STEPS

---

Step 1	From a client host, initiate an HTTP connection through the firewall. This generates the authentication proxy login page.
Step 2	At the authentication proxy login page, enter a username and password.
Step 3	Click OK to submit the username and password to the AAA server. A popup window appears indicating whether the login attempt succeeded or failed. If the authentication is successful, the connection is completed automatically. If the authentication fails, the authentication proxy reports the failure to the user and prompts the user with multiple retries.

---

What to Do Next

Note	If the authentication attempt is unsuccessful after five attempts, the user must wait two minutes and initiate another HTTP session to trigger authentication proxy.

Establishing User Connections Without JavaScript

To ensure secure authentication, the authentication proxy design requires JavaScript. You can use the authentication proxy without enabling JavaScript on the browser, but this poses a potential security risk if users do not properly establish network connections. The following procedure provides the steps to properly establish a connection with JavaScript disabled. Network administrators are strongly advised to instruct users on how to properly establish connections using the procedure in this section.

Note	Failure to follow this procedure can cause user credentials to be passed to a network web server other than the authentication proxy or can cause the authentication proxy to reject the login attempt.

To verify client connections using the authentication proxy when JavaScript is not enabled on the client browser, follow this procedure:

SUMMARY STEPS

1.    Initiate an HTTP connection through the firewall.

2.    From the authentication proxy login page at the client, enter the username and password.

3.    Click OK to submit the username and password to the AAA server.

4.    If the popup window displays a failed authentication message, click Close on the browser File menu.

5.    From the original authentication login page, click Reload (Refresh for Internet Explorer) on the browser toolbar. The user login credentials are cleared from the form.

6.    Enter the username and password again.

7.    Click Close on the browser File menu.

8.    From the original authentication proxy login page, click Reload (Refresh for Internet Explorer) on the browser toolbar.

DETAILED STEPS

---

Step 1	Initiate an HTTP connection through the firewall. This generates the authentication proxy login page.
Step 2	From the authentication proxy login page at the client, enter the username and password.
Step 3	Click OK to submit the username and password to the AAA server. A popup window appears indicating whether the login attempt succeeded or failed. If the popup window indicates successful authentication, go to Step7.
Step 4	If the popup window displays a failed authentication message, click Close on the browser File menu. Note    Do not click Reload (Refresh for Internet Explorer) to close the popup window.
Step 5	From the original authentication login page, click Reload (Refresh for Internet Explorer) on the browser toolbar. The user login credentials are cleared from the form. Note    Do not click OK. You must click Reload or Refresh to clear the username and password and to reload the form before attempting to log in again.
Step 6	Enter the username and password again. If the authentication is successful, a window appears displaying a successful authentication message. If the window displays a failed authentication message, go to Step 4.
Step 7	Click Close on the browser File menu.
Step 8	From the original authentication proxy login page, click Reload (Refresh for Internet Explorer) on the browser toolbar. The authentication proxy completes the authenticated connection with the web server.

---

Monitoring and Maintaining Authentication Proxy

• Displaying Dynamic ACL Entries
• Deleting Authentication Proxy Cache Entries

Displaying Dynamic ACL Entries

You can display dynamic access list entries when they are in use. After an authentication proxy entry is cleared by you or by the idle timeout parameter, you can no longer display it. The number of matches displayed indicates the number of times the access list entry was hit.

To view dynamic access lists and any temporary access list entries that are currently established by the authentication proxy, complete the following steps.

SUMMARY STEPS

1.    enable


2.    show ip access-lists

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	show ip access-lists Example: Device# show ip access-lists	Displays the standard and extended access lists configured on the firewall, including dynamic ACL entries.

Example: Displaying Dynamic ACL Entries

Consider the following example where ACL 105 is applied inbound at the input interface where you configure authentication proxy. The initial display shows the contents of the ACLs prior to authentication. The second display shows the same displays after user authentication with the AAA server.

Note

If NAT is configured, the show ip access-lists command might display the translated host IP address for the dynamic ACL entry or the IP address of the host initiating the connection. If the ACL is applied on the NAT outside interface, the translated address is displayed. If the ACL is applied on the NAT inside interface, the IP address of the host initiating the connection is displayed. The show ip auth-proxy cache command always displays the IP address of the host initiating the connection.

For example, the following is a list of ACL entries prior to the authentication proxy:

Device# show ip access-lists
    .
    .
    .
Extended IP access list 105
 deny tcp any any eq telnet
 deny udp any any
 permit tcp any any (28 matches)
 permit ip any any

The following sample output shows a list of ACL entries following user authentication:

Device# show ip access-lists
    .
    .
    .
Extended IP access list 105
! The ACL entries following user authentication are shown below.
 permit tcp host 192.168.25.215 any eq 26
 permit icmp host 192.168.25.215 host 10.0.0.2
 permit tcp host 192.168.25.215 any eq telnet
 permit tcp host 192.168.25.215 any eq ftp
 permit tcp host 192.168.25.215 any eq ftp-data
 permit tcp host 192.168.25.215 any eq smtp
 deny tcp any any eq telnet
 deny udp any any
 permit tcp any any (76 matches)
 permit ip any any

Deleting Authentication Proxy Cache Entries

When the authentication proxy is in use, dynamic access lists dynamically grow and shrink as authentication proxy cache entries are added and deleted. To manually delete an authentication proxy cache entry, complete the following steps.

SUMMARY STEPS

1.    enable


2.    clear ip auth-proxy cache {* | host-ip-address}

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	clear ip auth-proxy cache {* | host-ip-address} Example: Device# clear ip auth-proxy cache *	Deletes authentication proxy entries from the firewall before they time out. Enter an asterisk to delete all authentication cache entries. Enter a specific IP address to delete an entry for a single host.

Configuration Examples for Authentication Proxy

Example: Authentication Proxy Configuration

The following examples highlight the specific authentication proxy configuration entries. These examples do not represent a complete configuration. Complete configurations using the authentication proxy are included later in this module.

• Example: AAA Configuration
• Example: HTTP Server Configuration
• Example: Authentication Proxy Configuration
• Example: Interface Configuration

Example: AAA Configuration

aaa new-model
aaa authentication login default group tacacs group radius
! Set up the aaa new model to use the authentication proxy.
aaa authorization auth-proxy default group tacacs group radius
! Define the AAA servers used by the router.
aaa accounting auth-proxy default start-stop group tacacs+
! Set up authentication proxy with accounting.
tacacs-server host 172.31.54.143 
tacacs-server key cisco
radius-server host 172.31.54.143
radius-server key cisco

Example: HTTP Server Configuration

! Enable the HTTP server on the router.
ip http server
! Set the HTTP server authentication method to AAA.
ip http authentication aaa
! Define standard access list 61 to deny any host.
access-list 61 deny any 
! Use ACL 61 to deny connections from any host to the HTTP server.
ip http access-class 61

Example: Authentication Proxy Configuration

! Set the global authentication proxy timeout value.
ip auth-proxy auth-cache-time 60
! Apply a name to the authentication proxy configuration rule.
ip auth-proxy name HQ_users http

Example: Interface Configuration

! Apply the authentication proxy rule at an interface.
interface ethernet0 
ip address 10.1.1.210 255.255.255.0
ip auth-proxy HQ_users

Example: Authentication Proxy, IPsec, and CBAC Configuration

The following example shows a configuration with the authentication proxy, IPsec, and CBAC features enabled. The figure below illustrates the configuration.

Figure 6. Authentication Proxy, IPsec, and CBAC Configuration Example

In this example, Host A initiates an HTTP connection with the web server (WWW). The HTTP traffic between Device 1 and Device 2 is encrypted using IPsec. The authentication proxy, IPsec, and CBAC are configured at Serial interface 0 on Device 2, which is acting as the firewall. ACL 105 blocks all traffic at interface Serial0. ACL 102 is applied at Ethernet interface 0 on Device 2 to block all traffic on that interface except traffic from the AAA server.

When Host A initiates an HTTP connection with the web server, the authentication proxy prompts the user at Host A for a username and password. These credentials are verified with the AAA server for authentication and authorization. If authentication is successful, the per-user ACLs are downloaded to the firewall to permit services.

• Example: Device 1 Configuration
• Example: Device 2 Configuration

Example: Device 1 Configuration

! Configure Device 1 for IPSec.
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Device1
!
logging buffered 4096 debugging
no logging console
enable secret 5 $1$E0OB$AQF1vFZM3fLr3LQAOsudL/
enable password junk
!
username Device2 password 0 welcome
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco1234 address 10.0.0.2       
!
crypto ipsec transform-set rule_1 ah-sha-hmac esp-des esp-sha-hmac 
!
!
 crypto map testtag 10 ipsec-isakmp   
 set peer 10.0.0.2
 set transform-set rule_1 
 match address 155
!
interface Ethernet0/0
 ip address 192.168.23.2 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
!
interface Serial3/1
 ip address 10.0.0.1 255.0.0.0
 no ip directed-broadcast
 encapsulation PPP
 ip route-cache
 no ip mroute-cache
 no keepalive
 no fair-queue
 clockrate 56000
 crypto map testtag
!
!
ip classless
ip route 192.168.123.0 255.255.255.0 10.0.0.2
! Identify the IPSec specific traffic.
access-list 155 permit tcp host 192.168.23.13 host 192.168.123.14 eq www
access-list 155 permit tcp host 192.168.23.13 eq www host 192.168.123.14

Example: Device 2 Configuration

! Configure Device 2 as the firewall, using the authentication proxy, IPSec, and CBAC.
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Device2
!
logging buffered 4096 debugging
aaa new-model
aaa authentication login default group tacacs
aaa authentication login console_line none
aaa authentication login special none
aaa authentication ppp default group tacacs
aaa authorization exec default group tacacs
! Configure AAA for the authentication proxy.
aaa authorization auth-proxy default group tacacs+
enable password junk
!
! Create the CBAC inspection rule HTTP_TEST.
ip inspect name rule22 http
ip inspect name rule22 tcp
ip inspect name rule22 ftp
ip inspect name rule22 smtp
!
! Create the authentication proxy rule PXY.
ip auth-proxy name pxy http
! Turn on display of the device name in the authentication proxy login page.
ip auth-proxy auth-proxy-banner
ip audit notify log
ip audit po max-events 100
!
! Configure IPSec.
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco1234 address 10.0.0.1       
!
crypto ipsec transform-set rule_1 ah-sha-hmac esp-des esp-sha-hmac 
!
 crypto map testtag 10 ipsec-isakmp   
 set peer 10.0.0.1
 set transform-set rule_1 
 match address 155
!
! Apply the CBAC inspection rule and the authentication proxy rule at serial interface 0/0
! 
interface Serial0/0
 ip address 10.0.0.2 255.0.0.0
 ip access-group 105 in
 no ip directed-broadcast
 ip inspect rule22 in
 ip auth-proxy pxy
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 no keepalive
 no fair-queue
crypto map testtag
!
interface Ethernet0/1
 ip address 192.168.123.2 255.255.255.0
 ip access-group 102 in
 no ip directed-broadcast
 ip route-cache
 no ip mroute-cache
!
no ip classless
ip route 192.168.23.0 255.255.255.0 10.0.0.1
ip route 192.168.50.0 255.255.255.0 16.0.0.1
! Configure the HTTP server.
ip http server
ip http access-class 15
ip http authentication aaa
!
! Create ACL 15 to block all traffic for the http server.
access-list 15 deny any
! Create ACL 102 to block all traffic inbound on Ethernet interface 0/1 except for 
! traffic from the AAA server.
access-list 102 permit tcp host 192.168.123.20 eq tacacs host 192.168.123.2
access-list 102 deny   tcp any any
access-list 102 deny   udp any any
access-list 102 permit ip any any
! Create ACL 105 to block all traffic inbound on Serial interface 0/0. Permit only IP
! protocol traffic.
access-list 105 deny   tcp any any
access-list 105 deny   udp any any
access-list 105 permit ip any any
! Identify the IPSec specific traffic.
access-list 155 permit tcp host 192.168.123.14 host 192.168.23.13 eq www
access-list 155 permit tcp host 192.168.123.14 eq www host 192.168.23.13
!
! Define the AAA server host and encryption key.
tacacs-server host 192.168.123.14
tacacs-server key cisco
!
line con 0
 exec-timeout 0 0
 login authentication special
 transport input none
line aux 0
 transport input all
 speed 38400
 flowcontrol hardware
line vty 0 4
 password lab

Example: Authentication Proxy, IPsec, NA,T and CBAC Configuration

The following is a sample configuration with the authentication proxy, IPsec, NAT, and CBAC features enabled. The figure below illustrates the configuration.

Figure 7. Authentication Proxy, IPsec, NAT, and CBAC Configuration Example

In this example, Host A initiates an HTTP connection with the web server (WWW). The HTTP traffic between device 1 (BRI interface 0) and device 2 (Serial interface 2) is encrypted using IPsec. The authentication proxy is configured on device 2, which is acting as the firewall. The authentication proxy, NAT, and CBAC are configured at Serial interface 2, which is acting as the firewall. ACL 105 blocks all traffic at Serial interface 2. ACL 102 is applied at Ethernet interface 0 on device 2 to block all traffic on that interface except traffic from the AAA server. In this example, the authentication proxy uses standard ACL 10 to specify the hosts using the Authentication Proxy feature.

When any host in ACL 10 initiates an HTTP connection with the web server, the authentication proxy prompts the user at that host for a username and password. These credentials are verified with AAA server for authentication and authorization. If authentication is successful, the per-user ACLs are downloaded to the firewall to permit services.

• Example: Device 1 Configuration
• Example: Device 2 Configuration

Example: Device 1 Configuration

! Configure device 1 for IPSec.
version 12.0
 service timestamps debug uptime
 service timestamps log uptime
 no service password-encryption
 !
 hostname Device1
 !
 logging buffered 4096 debugging
 no logging console
 !
isdn switch-type basic-5ess
 !
 crypto isakmp policy 1
  authentication pre-share
 crypto isakmp key cisco1234 address 10.0.0.2       
 crypto ipsec transform-set rule_1 ah-sha-hmac esp-des esp-sha-hmac 
 !
  !
  crypto map testtag 10 ipsec-isakmp   
  set peer 10.0.0.2
  set transform-set rule_1 
  match address 155
 !
 !
 process-max-time 200
 !
 interface BRI0
  ip address 10.0.0.1 255.0.0.0
  no ip directed-broadcast
  encapsulation ppp
  dialer idle-timeout 5000
  dialer map ip 10.0.0.2 name router2 broadcast 50006
  dialer-group 1
  isdn switch-type basic-5ess
  crypto map testtag
 ! 
 interface FastEthernet0
  ip address 192.168.50.2 255.255.255.0
  no ip directed-broadcast
 !
 ip classless
 ip route 192.168.150.0 255.255.255.0 10.0.0.2
 no ip http server
! Identify the IPSec specific traffic.
 access-list 155 permit tcp host 192.168.50.13 host 192.168.150.100 eq www
 access-list 155 permit tcp host 192.168.50.13 eq www host 192.168.150.100
 dialer-list 1 protocol ip permit
 !
 line con 0
  exec-timeout 0 0
  transport input none
 line aux 0
 line vty 0 4
  password lab
  login

Example: Device 2 Configuration

! Configure device 2 as the firewall, using the authentication proxy, IPSec, NAT, and
! CBAC.
 version 12.0
 service timestamps debug uptime
 service timestamps log uptime
 no service password-encryption
 !
 hostname device2
 !
 logging buffered 4096 debugging
 aaa new-model
 aaa authentication login default group tacacs+
 aaa authentication login console_line none
 aaa authorization exec default group tacacs+
 ! Configure AAA for the authentication proxy.
 aaa authorization auth-proxy default group tacacs+
!
 ! Create the CBAC inspection rule “rule44.”
 ip inspect name rule44 http java-list 5
 ip inspect name rule44 tcp
 ip inspect name rule44 ftp
 ip inspect name rule44 smtp
 !
 ! Create the authentication proxy rule “pxy.” Set the timeout value for rule
 ! pxy to three minutes. Standard ACL 10 is applied to the rule.
 ip auth-proxy name pxy http list 10 auth-cache-time 3
 isdn switch-type primary-5ess
 !
 ! Configure IPSec.
 crypto isakmp policy 1
  authentication pre-share
 crypto isakmp key cisco1234 address 10.0.0.1       
 !
 !
 crypto ipsec transform-set rule_1 ah-sha-hmac esp-des esp-sha-hmac 
 !
  !        
  crypto map testtag 10 ipsec-isakmp   
  set peer 10.0.0.1
  set transform-set rule_1 
  match address 155
!         
 controller T1 2/0
  framing esf
  linecode b8zs
  pri-group timeslots 1-24
!         
! Apply ACL 102 inbound at interface Ethernet0/1 and configure NAT.
interface Ethernet0/1
 ip address 192.168.150.2 255.255.255.0
 ip access-group 102 in
 no ip directed-broadcast
 ip nat inside
 no ip mroute-cache
!         
! Apply the authentication proxy rule PXY, CBAC inspection rule HTTP_TEST, NAT, and
! and ACL 105 at interface Serial2/0:23.
interface Serial2/0:23
 ip address 10.0.0.2 255.0.0.0
 ip access-group 105 in
 no ip directed-broadcast
 ip nat outside
 ip inspect rule44 in
 ip auth-proxy pxy
 encapsulation ppp
 ip mroute-cache
 dialer idle-timeout 5000
 dialer map ip 10.0.0.1 name device1 broadcast 71011
 dialer-group 1
 isdn switch-type primary-5ess
 fair-queue 64 256 0
 crypto map testtag
!         
! Use NAT to translate the Web server address.
ip nat inside source static 192.168.150.14 192.168.150.100
ip classless
ip route 192.168.50.0 255.255.255.0 10.0.0.1
! Configure the HTTP server.
ip http server
ip http access-class 15
ip http authentication aaa
!
! Create standard ACL 5 to specify the list of hosts from which to accept java applets.
! ACL 5 is used to block Java applets in the CBAC inspection rule named “rule44,” which
! is applied at interface Serial2/0:23.
access-list 5 permit any
! Create standard ACL 10 to specify the hosts using the authentication proxy. This ACL
! used in the authentication proxy rule named “PXY”, which is applied at interface
! Serial2/0:23.
access-list 10 permit any
! Create ACL 15 to block all traffic for the http server.
access-list 15 deny any
! Create extended ACL 102 to block all traffic inbound on interface Ethernet0/1
! except for traffic from the AAA server.
access-list 102 permit tcp host 192.168.150.20 eq tacacs 192.168.150.2
access-list 102 deny   tcp any any
access-list 102 deny   udp any any
access-list 102 permit ip any any
! Create extended ACL 105 to block all TCP and UDP traffic inbound on interface
! Serial2/0:23.
access-list 105 deny   tcp any any
access-list 105 deny   udp any any
access-list 105 permit ip any any
! Identify the IPSec specific traffic.
access-list 155 permit tcp host 192.168.150.100 host 192.168.50.13 eq www
access-list 155 permit tcp host 192.168.150.100 eq www host 192.168.50.13
dialer-list 1 protocol ip permit
! Define the AAA server host and encryption key.
tacacs-server host 192.168.126.14 
tacacs-server key cisco
!
line con 0
 exec-timeout 0 0
! Define the AAA server host and encryption key.
 login authentication console_line
 transport input none
 line aux 0
 line vty 0 4
 password lab
!
!
 end

Example: AAA Server User Profile

This section includes examples of the authentication proxy user profile entries on the AAA servers. The “proxyacl” entries define the user access privileges. After the user has successfully used the authentication proxy to log in, these entries are transferred to the firewall router. Each entry in the profile must specify “permit” access for the service or application. The source address in each entry is set to “any”, which is replaced with the IP address of the authenticating host when the profile is downloaded to the firewall. The privilege level must be set to 15 for all AAA users.

• Example: CiscoSecure ACS 2.3 for Windows NT
• Example: CiscoSecure ACS 2.3 for UNIX
• Example: TACACS+ Server
• Example: Livingston Radius Server
• Example: Ascend Radius Server

Example: CiscoSecure ACS 2.3 for Windows NT

This section describes how to configure authentication proxy on CiscoSecure ACS 2.3 for Windows NT. For detailed information about CiscoSecure ACS, refer to the documentation for that product.

The following sample configuration is for the TACACS+ service of CiscoSecure ACS for Windows NT.

SUMMARY STEPS

1.    Click the Interface Configuration icon and click TACACS+ (Cisco).

2.    Click the Network Configuration icon.

3.    Click the Group Setup icon.

4.    Click the User Setup icon.

5.    Click Group Setup icon again.

DETAILED STEPS

---

Step 1	Click the Interface Configuration icon and click TACACS+ (Cisco). Scroll down to New Services. Add a new service, “auth-proxy”, in the Service field. Leave the Protocol field empty. Select both the User and Group check boxes for the new service. Scoll down to Advance Configuration Options and check the Per-user Advance TACACS+ features. Click Submit.
Step 2	Click the Network Configuration icon. Click the Add Entry icon for Network Access Servers and fill in the Network Access Server Hostname, IP address, and key (the key configured on the router) fields. Select TACACS+ (Cisco) for the Authenticate Using option. Click the Submit + Restart icon.
Step 3	Click the Group Setup icon. Select a user group from the drop-down menu. Select the Users in Group check box. Select a user from the user list. In the User Setup list, scroll down to TACACS+ Settings and select the “auth-proxy” check box. Select the Custom Attributes check box. Add the profile entries (do not use single or double quotes around the entries) and set the privilege level to 15. Example: priv-lvl=15 proxyacl#1=permit tcp any any eq 26 proxyacl#2=permit icmp any host 10.0.0.2 proxyacl#3=permit tcp any any eq ftp proxyacl#4=permit tcp any any eq ftp-data proxyacl#5=permit tcp any any eq smtp proxyacl#6=permit tcp any any eq telnet Click Submit.
Step 4	Click the User Setup icon. Click List All Users. Add a username. Scoll down to User Setup Password Authentication. Select SDI SecurID Token Card from the Password Authentication drop-down menu. Select the previous configured user group 1. Click Submit.
Step 5	Click Group Setup icon again. Select the user group 1. Click Users in Group. Click Edit Settings. Click the Submit + Restart icon to make sure the latest configuration is updated and sent to the AAA server.

---

Example: CiscoSecure ACS 2.3 for UNIX

This section describes how to configure authentication proxy on CiscoSecure ACS 2.3 for UNIX. For detailed information regarding CiscoSecure ACS, refer to the documentation for that product.

To manage the CiscoSecure ACS using the Administrator program, you need a web browser that supports Java and JavaScript. You must enable Java in the browser application. You can start the Java-based CiscoSecure Administrator advanced configuration program from any of the CiscoSecure ACS Administrator web pages.

The following sample configuration procedure is for the TACACS+ service of CiscoSecure ACS 2.3 for UNIX.

SUMMARY STEPS

1.    On the CiscoSecure ACS web menu bar of the CiscoSecure ACS web interface, click Advanced and then click Advanced again.

2.    In the CiscoSecure Administrator advanced configuration program, locate and deselect Browse in the Navigator pane of the tabbed Members page.

3.    In the Navigator pane, do one of the following:

4.    Click Create Profile to display the New Profile dialog box.

5.    Make sure the Group check box is cleared.

6.    Enter the name of the user you want to create and click OK. The new user appears in the tree.

7.    Click the icon for the group or user profile in the tree that is displayed in the Navigator pane of the tabbed Members page.

8.    If necessary, in the Profile pane, click the Profile icon to expand it.

9.    Click Service-String.

10.    Click string, enter auth-proxy in the text field, and click Apply.

11.    Select the Option menu.

12.    On the Option menu, click Default Attributes.

13.    Change the attribute from Deny to Permit.

14.    Click Apply.

15.    On the Option menu, click Attribute and enter the privilege level in the text field:

16.    On the Option menu, click Attribute and enter the proxyacl entries in the text field:

17.    When you have finished making all your changes, click Submit.

DETAILED STEPS

---

Step 1	On the CiscoSecure ACS web menu bar of the CiscoSecure ACS web interface, click Advanced and then click Advanced again. The Java-based CiscoSecure Administrator advanced configuration program appears. It might require a few minutes to load.
Step 2	In the CiscoSecure Administrator advanced configuration program, locate and deselect Browse in the Navigator pane of the tabbed Members page. This displays the Create New Profile icon.
Step 3	In the Navigator pane, do one of the following: Locate and click the group to which the user will belong. If you do not want the user to belong to a group, click the [Root] folder icon.
Step 4	Click Create Profile to display the New Profile dialog box.
Step 5	Make sure the Group check box is cleared.
Step 6	Enter the name of the user you want to create and click OK. The new user appears in the tree.
Step 7	Click the icon for the group or user profile in the tree that is displayed in the Navigator pane of the tabbed Members page.
Step 8	If necessary, in the Profile pane, click the Profile icon to expand it. A list or dialog box that contains attributes applicable to the selected profile or service appears in the window at the bottom right of the screen. The information in this window changes depending on what you have selected in the Profile pane.
Step 9	Click Service-String.
Step 10	Click string, enter auth-proxy in the text field, and click Apply.
Step 11	Select the Option menu.
Step 12	On the Option menu, click Default Attributes.
Step 13	Change the attribute from Deny to Permit.
Step 14	Click Apply.
Step 15	On the Option menu, click Attribute and enter the privilege level in the text field: Example: priv-lvl=15
Step 16	On the Option menu, click Attribute and enter the proxyacl entries in the text field: Example: proxyacl#1=”permit tcp any any eq 26” Repeat this step for each additional service or protocol to add: Example: proxyacl#2=”permit icmp any host 10.0.0.2” proxyacl#3=”permit tcp any any eq ftp” proxyacl#4=”permit tcp any any eq ftp-data” proxyacl#5=”permit tcp any any eq smtp” proxyacl#6=”permit tcp any any eq telnet”
Step 17	When you have finished making all your changes, click Submit.

---

Example: TACACS+ Server

default authorization = permit
key = cisco
user = Brian {
login = cleartext cisco
service = auth-proxy
 {
  priv-lvl=15
  proxyacl#1="permit tcp any any eq 26"
  proxyacl#2="permit icmp any host 10.0.0.2
  proxyacl#3="permit tcp any any eq ftp"
  proxyacl#4="permit tcp any any eq ftp-data"
  proxyacl#5="permit tcp any any eq smtp"
  proxyacl#6="permit tcp any any eq telnet"
 }
}

Example: Livingston Radius Server

Bob Password = "cisco" User-Service-Type=Outbound-User
cisco-avpair = "auth-proxy:priv-lvl=15",
cisco-avpair = "auth-proxy:proxyacl#1=permit tcp any any eq 26",
cisco-avpair = "auth-proxy:proxyacl#2=permit icmp any host 10.0.0.2",
cisco-avpair = "auth-proxy:proxyacl#3=permit tcp any any eq ftp",
cisco-avpair = "auth-proxy:proxyacl#4=permit tcp any any eq ftp-data",
cisco-avpair = "auth-proxy:proxyacl#5=permit tcp any any eq smtp",
cisco-avpair = "auth-proxy:proxyacl#6=permit tcp any any eq telnet"

Example: Ascend Radius Server

Alice Password = "cisco" User-Service = Dialout-Framed-User
cisco-avpair = "auth-proxy:priv-lvl=15",
cisco-avpair = "auth-proxy:proxyacl#1=permit tcp any any eq 26",
cisco-avpair = "auth-proxy:proxyacl#2=permit icmp any host 10.0.0.2",
cisco-avpair = "auth-proxy:proxyacl#3=permit tcp any any eq ftp",
cisco-avpair = "auth-proxy:proxyacl#4=permit tcp any any eq ftp-data",
cisco-avpair = "auth-proxy:proxyacl#5=permit tcp any any eq smtp",
cisco-avpair = "auth-proxy:proxyacl#6=permit tcp any any eq telnet"

Additional References

Related Documents

Related Topic	Document Title
Cisco IOS commands	Cisco IOS Master Command List, All Releases
Authentication, authorization, and accounting	Authentication, Authorization, and Accounting (AAA) Configuration Guide
Access lists and the Cisco IOS Firewall	“Access Control Lists: Overview and Guidelines” module of the Security Configuration Guide: Access Control Lists publication.
Context-Based Access Control (CBAC)	“Configuring Context-Based Access Control” module of the Security Guide Publication: Context-Based Access Control Firewall
RADIUS	RADIUS Configuration Guide RADIUS Attributes Configuration Guide General RADIUS Configurations Configuration Guide
TACACS+	TACACS+ Configuration Guide

Technical Assistance

Description	Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.	http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

Feature Information for Authentication Proxy

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Table 3 Feature Information for Authentication Proxy

Feature Name	Releases	Feature Information
Cisco IOS Firewall Authentication Proxy	12.1(5)T	The Cisco IOS Firewall Authentication Proxy feature provides dynamic, per-user authentication and authorization, authenticating users against industry standard TACACS+ and RADIUS authentication protocols. Authenticating and authorizing connections by users provides more robust protection against network attacks.
Web Authentication with Critical Authentication Support	15.2(2)T	The AAA fail policy is a method for allowing a user to connect or to remain connected to the network if the AAA server is not available. AAA Fail Policy
Web Authentication Enhancements	15.2(2)T	Substitute your custom HTML pages for the four default internal HTML pages or specify a URL to which the user will be redirected upon successful authentication, effectively replacing the internal Success page. Customization of the Authentication Proxy Web Pages

Contents

• Configuring Authentication Proxy
• Finding Feature Information
• Prerequisites for Configuring Authentication Proxy
• Restrictions for Configuring Authentication Proxy
• Information About Configuring Authentication Proxy
• How Authentication Proxy Works
• Secure Authentication
• Operation with JavaScript
• Operation Without JavaScript
• Using Authentication Proxy
• When to Use the Authentication Proxy
• Applying Authentication Proxy
• Operation with One-Time Passwords
• Compatibility with Other Security Features
• NAT Compatibility
• CBAC Compatibility
• VPN Client Compatibility
• Compatibility with AAA Accounting
• Protection Against Denial-of-Service Attacks
• Risk of Spoofing with Authentication Proxy
• Comparison with the Lock-and-Key Feature
• AAA Fail Policy
• Customization of the Authentication Proxy Web Pages
• How to Configure Authentication Proxy
• Configuring AAA
• What to Do Next
• Configuring the HTTP Server for Authentication Proxy
• Configuring the Authentication Proxy
• Verifying Authentication Proxy
• Checking the Authentication Proxy Configuration
• Example: Checking the Authentication Proxy Configuration
• Displaying the User Authentication Entries
• Example: Displaying the User Authentication Entries
• Establishing User Connections with JavaScript
• Establishing User Connections Without JavaScript
• Monitoring and Maintaining Authentication Proxy
• Displaying Dynamic ACL Entries
• Example: Displaying Dynamic ACL Entries
• Deleting Authentication Proxy Cache Entries
• Configuration Examples for Authentication Proxy
• Example: Authentication Proxy Configuration
• Example: AAA Configuration
• Example: HTTP Server Configuration
• Example: Authentication Proxy Configuration
• Example: Interface Configuration
• Example: Authentication Proxy, IPsec, and CBAC Configuration
• Example: Device 1 Configuration
• Example: Device 2 Configuration
• Example: Authentication Proxy, IPsec, NA,T and CBAC Configuration
• Example: Device 1 Configuration
• Example: Device 2 Configuration
• Example: AAA Server User Profile
• Example: CiscoSecure ACS 2.3 for Windows NT
• Example: CiscoSecure ACS 2.3 for UNIX
• Example: TACACS+ Server
• Example: Livingston Radius Server
• Example: Ascend Radius Server
• Additional References
• Feature Information for Authentication Proxy

Configuring Authentication Proxy

---

The Cisco IOS Firewall Authentication Proxy feature provides dynamic, per-user authentication and authorization, authenticating users against industry standard TACACS+ and RADIUS authentication protocols. Authenticating and authorizing connections by users provides more robust protection against network attacks.

• Finding Feature Information
• Prerequisites for Configuring Authentication Proxy
• Restrictions for Configuring Authentication Proxy
• Information About Configuring Authentication Proxy
• How to Configure Authentication Proxy
• Monitoring and Maintaining Authentication Proxy
• Configuration Examples for Authentication Proxy
• Additional References
• Feature Information for Authentication Proxy

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Configuring Authentication Proxy

Prior to configuring authentication proxy, review the following:

• For the authentication proxy to work properly, the client host must be running the following browser software:

  • Microsoft Internet Explorer 3.0 or later
  • Netscape Navigator 3.0 or later
• The authentication proxy has an option to use standard access lists. You must have a solid understanding of how access lists are used to filter traffic before you attempt to configure the authentication proxy. For an overview of how to use access lists with the Cisco IOS Firewall, see the “Access Control Lists: Overview and Guidelines” module of the Security Configuration Guide: Access Control Lists publication.
• The authentication proxy employs user authentication and authorization as implemented in the Cisco authentication, authorization, and accounting (AAA) paradigm. You must understand how to configure AAA before you configure the authentication proxy. For more information about user authentication, authorization, and accounting, see the Authentication, Authorization, and Accounting (AAA) Configuration Guide.
• To run the authentication proxy successfully with Cisco IOS Firewall, configure Context-Based Access Control (CBAC) on the firewall. For more information about CBAC, see the “Configuring Context-Based Access Control” module of the Security Guide Publication: Context-Based Access Control Firewall.
• HTTP services must be running on the standard (well-known) port, which is port 80 for HTTP.
• Client browsers must enable JavaScript for secure authentication.

Restrictions for Configuring Authentication Proxy

• The authentication proxy is triggered only on HTTP connections.
• The authentication proxy access lists apply to traffic passing through the device. Traffic destined to the device is authenticated by the existing authentication methods provided by Cisco software.
• The authentication proxy does not support concurrent usage; that is, if two users try to log in from the same host at the same time, authentication and authorization applies only to the user who first submits a valid username and password.
• Load balancing using multiple or different AAA servers is not supported.

Information About Configuring Authentication Proxy

The Cisco IOS Firewall Authentication Proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access were associated with a user IP address, or a single security policy had to be applied to an entire user group or subnetwork. Now, users can be identified and authorized on the basis of their per-user policy. Tailoring of access privileges on an individual basis is possible, as opposed to applying a general policy across multiple users.

With the Authentication Proxy feature, users can log in to the network or access the Internet via HTTP, and their specific access profiles are automatically retrieved and applied from a CiscoSecure ACS, or other RADIUS, or TACACS+ authentication server. The user profiles are active only when there is active traffic from the authenticated users.

The authentication proxy is compatible with other Cisco security features such as Network Address Translation (NAT), Context-Based Access Control (CBAC), IP Security (IPsec) encryption, and Cisco Secure VPN Client (VPN client) software.

This section contains the following sections:

• How Authentication Proxy Works
• Secure Authentication
• Using Authentication Proxy
• When to Use the Authentication Proxy
• Applying Authentication Proxy
• Operation with One-Time Passwords
• Compatibility with Other Security Features
• Compatibility with AAA Accounting
• Protection Against Denial-of-Service Attacks
• Risk of Spoofing with Authentication Proxy
• Comparison with the Lock-and-Key Feature
• AAA Fail Policy
• Customization of the Authentication Proxy Web Pages

How Authentication Proxy Works

When a user initiates an HTTP session through the firewall, the authentication proxy is triggered. The authentication proxy first checks to see if the user has been authenticated. If a valid authentication entry exists for the user, the connection is completed with no further intervention by the authentication proxy. If no entry exists, the authentication proxy responds to the HTTP connection request by prompting the user for a username and password.

The figure below illustrates the authentication proxy HTML login page.

Figure 1. Authentication Proxy Login Page

Users must successfully authenticate themselves with the authentication server by entering a valid username and password.

If the authentication succeeds, the user’s authorization profile is retrieved from the AAA server. The authentication proxy uses the information in this profile to create dynamic access control entries (ACEs) and add them to the inbound (input) access control list (ACL) of an input interface and to the outbound (output) ACL of an output interface, if an output ACL exists at the interface. This process enables the firewall to allow authenticated users access to the network as permitted by the authorization profile. For example, a user can initiate a Telnet connection through the firewall if Telnet is permitted in the user’s profile.

If the authentication fails, the authentication proxy reports the failure to the user and prompts the user with multiple login retries. If the user fails to authenticate after five attempts, the user must wait two minutes and initiate another HTTP session to trigger authentication proxy.

Note	The number of login retries is configurable. The default number of retries is five.

The login page is refreshed each time the user makes requests to access information from a web server.

The authentication proxy customizes each of the access list entries in the user profile by replacing the source IP addresses in the downloaded access list with the source IP address of the authenticated host.

At the same time that dynamic ACEs are added to the interface configuration, the authentication proxy sends a message to the user confirming that the login was successful. The figure below illustrates the login status in the HTML page.

Figure 2. Authentication Proxy Login Status Message

The authentication proxy sets up an inactivity (idle) timer for each user profile. As long as there is activity through the firewall, new traffic initiated from the user’s host does not trigger the authentication proxy, and authorized user traffic is permitted access through the firewall.

If the idle timer expires, the authentication proxy removes the user’s profile information and dynamic access lists entries. When this happens, traffic from the client host is blocked. The user must initiate another HTTP connection to trigger the authentication proxy.

Secure Authentication

The authentication proxy uses JavaScript to help achieve secure authentication using the client browser. Secure authentication prevents a client from mistakenly submitting a username and password to a network web server other than the authentication proxy router.

• Operation with JavaScript
• Operation Without JavaScript

Operation with JavaScript

Users should enable JavaScript on the browser prior to initiating an HTTP connection. With JavaScript enabled on the browser, secure authentication is done automatically, and the user sees the authentication message shown in the Authentication Proxy Login Status Message figure, in the How the Authentication Proxy Works module. The HTTP connection is completed automatically for the user.

Operation Without JavaScript

If the client browser does not support JavaScript, or if site security policy prevents users from enabling JavaScript, any login attempt generates a popup window with instructions for manually completing the connection. The figure below illustrates the authentication proxy login status message with JavaScript disabled on the browser.

Figure 3. Authentication Proxy Login Status Message with JavaScript Disabled

To close this window, click Close on the browser File menu.

After closing the popup window, the user should click Reload (Refresh for Internet Explorer) in the browser window in which the authentication login page is displayed. If the user’s last authentication attempt succeeds, clicking Reload brings up the web page the user is trying to retrieve. If the user’s last attempt fails, clicking Reload causes the authentication proxy to intercept the client HTTP traffic again, prompting the user with another login page that solicits the username and password.

If JavaScript is not enabled, it is strongly recommended that site administrators advise users of the correct procedure for closing the popup window as described in the section Establishing User Connections Without JavaScript.

Using Authentication Proxy

Unlike some Cisco IOS Firewall features that operate transparently to the user, the authentication proxy feature requires some user interaction on the client host. The table below describes the interaction of the authentication proxy with the client host.

Table 1 Authentication Proxy Interaction with the Client Host

Authentication Proxy Action with Client	Description
Triggering on HTTP connections	If a user is not currently authenticated at the firewall router, any HTTP connection initiated by the user triggers the authentication proxy. If the user is already authenticated, the authentication proxy is transparent to the user.
Logging in using the login page	Triggering the authentication proxy generates an HTML-based login page.The user must enter a username and password to be authenticated with the AAA server. The Authentication Proxy Login Page figure, in the How the Authentication Proxy Works module, illustrates the authentication proxy login page.
Authenticating the user at the client	Following the login attempt, the authentication proxy action can vary depending on whether JavaScript is enabled in the browser. If JavaScript is enabled, and authentication is successful, the authentication proxy displays a message indicating the status of the authentication as shown in the Authentication Proxy Login Status Message figure, in the How the Authentication Proxy Works module. After the authentication status is displayed, the proxy automatically completes the HTTP connection. If JavaScript is disabled, and authentication is successful, the authentication proxy generates a popup window with additional instructions for completing the connection. See the Authentication Proxy Login Status Message with JavaScript Disabled figure, in the Secure Authentication module. If authentication is unsuccessful in any case, the user must log in again from the login page.

When to Use the Authentication Proxy

Here are examples of situations in which you might use the authentication proxy:

• You want to manage access privileges on an individual (per-user) basis using the services provided by the authentication servers instead of configuring access control based on host IP address or global access policies. Authenticating and authorizing users from any host IP address also allows network administrators to configure host IP addresses using DHCP.
• You want to authenticate and authorize local users before permitting access to intranet or Internet services or hosts through the firewall.
• You want to authenticate and authorize remote users before permitting access to local services or hosts through the firewall.
• You want to control access for specific extranet users. For example, you might want to authenticate and authorize the financial officer of a corporate partner with one set of access privileges while authorizing the technology officer for that same partner to use another set of access privileges.
• You want to use the authentication proxy in conjunction with VPN client software to validate users and to assign specific access privileges.
• You want to use the authentication proxy in conjunction with AAA accounting to generate “start” and “stop” accounting records that can be used for billing, security, or resource allocation purposes, thereby allowing users to track traffic from the authenticated hosts.

Applying Authentication Proxy

Apply the authentication proxy in the inbound direction at any interface on the router where you want per-user authentication and authorization. Applying the authentication proxy inbound at an interface causes it to intercept a user’s initial connection request before that request is subjected to any other processing by the firewall. If the user fails to gain authentication with the AAA server, the connection request is dropped.

How you apply the authentication proxy depends on your security policy. For example, you can block all traffic through an interface and enable the authentication proxy feature to require authentication and authorization for all user initiated HTTP connections. Users are authorized for services only after successful authentication with the AAA server.

The authentication proxy feature also allows you to use standard access lists to specify a host or group of hosts whose initial HTTP traffic triggers the proxy.

The figure below shows the authentication proxy applied at the LAN interface with all network users required to be authenticated upon the initial connection (all traffic is blocked at each interface).

Figure 4. Applying the Authentication Proxy at the Local Interface

The figure below shows the authentication proxy applied at the dial-in interface with all network traffic blocked at each interface.

Figure 5. Applying the Authentication Proxy at an Outside Interface

Operation with One-Time Passwords

Given a one-time password, the user enters the username and one-time password in the HTML login page as usual.

The user must enter the correct token password within the first three attempts. After three incorrect entries, the user must enter two valid token passwords in succession before authentication is granted by the AAA server.

Compatibility with Other Security Features

The authentication proxy is compatible with Cisco software and with Cisco security features:

• Cisco IOS Firewall Intrusion Detection System (IDS)
• NAT
• CBAC
• IPsec encryption
• VPN client software

The authentication proxy works transparently with the Cisco IOS Firewall IDS and IPsec encryption features.

• NAT Compatibility
• CBAC Compatibility
• VPN Client Compatibility

NAT Compatibility

The authentication proxy feature is compatible with NAT only if the ACL and authentication are completed prior to the NAT translation. Although NAT is compatible with the authentication proxy feature, NAT is not a requirement of the feature.

CBAC Compatibility

Although authentication proxy is compatible with CBAC security functions, CBAC is not required to use the authentication proxy feature.

Authentication proxy’s authorization returns access control entries (ACEs) that are dynamically prepended into a manually created ACL. Thereafter, apply the ACL to the “protected side” inbound interface, allowing or disallowing an authorized user’s source IP address access to the remote networks.

VPN Client Compatibility

Using the authentication proxy, network administrators can apply an extra layer of security and access control for VPN client traffic. If a VPN client initiates an HTTP connection, the authentication proxy first checks for prior client authentication. If the client is authenticated, authorized traffic is permitted. If the client is not authenticated, the HTTP request triggers the authentication proxy, and the user is prompted for a username and password.

If the user authentication is successful, the authentication proxy retrieves the user profile from the AAA server. The source address in the user profile entries is replaced with the IP address of the authenticated VPN client from the decrypted packet.

Compatibility with AAA Accounting

Using the authentication proxy, you can generate “start” and “stop” accounting records with enough information to be used for billing and security auditing purposes. Thus, you can monitor the actions of authenticated hosts that use the authentication proxy service.

When an authentication proxy cache and associated dynamic access control lists are created, the authentication proxy will start to track the traffic from the authenticated host. Accounting saves data about this event in a data structure stored with the data of other users. If the accounting start option is enabled, you can generate an accounting record (a “start” record) at this time. Subsequent traffic from the authenticated host will be recorded when the dynamic ACL created by the authentication proxy receives the packets.

When an authentication proxy cache expires and is deleted, additional data, such as elapsed time, is added to the accounting information and a “stop” record is sent to the server. At this point, the information is deleted from the data structure.

The accounting records for the authentication proxy user session are related to the cache and the dynamic ACL usage.

Note	The accounting records must include RADIUS attributes 42, 46, and 47 for both RADIUS and TACACS+.

For more information on RADIUS attributes, see the RADIUS Attributes Configuration Guide.

Protection Against Denial-of-Service Attacks

The authentication proxy monitors the level of incoming HTTP requests. For each request, the authentication proxy prompts the user’s for login credentials. A high number of open requests could indicate that the router is the subject of a denial-of-service (DoS) attack. The authentication proxy limits the level of open requests and drops additional requests until the number of open requests has fallen below 40.

If the firewall is experiencing a high level of connection requests requiring authentication, legitimate network users may experience delays when making connections, or the connection may be rejected and the user must try the connection again.

Risk of Spoofing with Authentication Proxy

When the authentication proxy is triggered, it creates a dynamic opening in the firewall by temporarily reconfiguring an interface with user access privileges. While this opening exists, another host might spoof the authenticated users address to gain access behind the firewall. The authentication proxy does not cause the address spoofing problem; the problem is only identified here as a matter of concern to the user. Spoofing is a problem inherent to all access lists, and the authentication proxy does not specifically address this problem.

Comparison with the Lock-and-Key Feature

Lock-and-key is another Cisco IOS Firewall feature that uses authentication and dynamic access lists to provide user access through the firewall. The table below compares the authentication proxy and lock-and-key features.

Table 2 Comparison of the Authentication Proxy and Lock-and-Key Features

Lock-and-Key	Authentication Proxy
Triggers on Telnet connection requests.	Triggers on HTTP connection requests.
TACACS+, RADIUS, or local authentication.	TACACS+ or RADIUS authentication and authorization.
Access lists are configured on the router only.	Access lists are retrieved from the AAA server only.
Access privileges are granted on the basis of the user’s host IP address.	Access privileges are granted on a per-user and host IP address basis.
Access lists are limited to one entry for each host IP address.	Access lists can have multiple entries as defined by the user profiles on the AAA server.
Associates a fixed IP addresses with a specific user. Users must log in from the host with that IP address.	Allows DHCP-based host IP addresses, meaning that users can log in from any host location and obtain authentication and authorization.

Use the authentication proxy in any network environment that provides a per-user security policy. Use lock-and-key in network environments that might benefit from local authentication and a limited number of router-based access control policies based on host addresses. Use lock-and-key in environments not using the Cisco Secure Integrated Software.

AAA Fail Policy

The AAA fail policy is a method for allowing a user to connect or to remain connected to the network if the AAA server is not available. If the AAA server cannot be reached when web-based authentication of a client is needed, instead of rejecting the user (that is, not providing the access to the network), an administrator can configure a default AAA fail policy that can be applied to the user.

This policy is advantageous for the following reasons:

• While AAA is unavailable, the user will still have connectivity to the network, although access may be restricted.
• When the AAA server is again available, a user can be revalidated and the user's normal access policies can be downloaded from the AAA server.

Note	When the AAA server is down, the AAA fail policy is applied only if there is no existing policy associated with the user. Typically, if the AAA server is unavailable when a user session requires reauthentication, the policies currently in effect for the user are retained.

While the AAA fail policy is in effect, the session state is maintained as AAA Down.

Customization of the Authentication Proxy Web Pages

The router's internal HTTP server hosts four HTML pages for delivery to an authenticating client during the web-based authentication process. The four pages allow the server to notify the user of the following four states of the authentication process:

• Login—The user's credentials are requested
• Success—The login was successful
• Fail—The login has failed
• Expire—The login session has expired due to excessive login failures

You can substitute your custom HTML pages for the four default internal HTML pages, or you can specify a URL to which the user will be redirected upon successful authentication, effectively replacing the internal Success page.

How to Configure Authentication Proxy

Configuring AAA

You must configure the authentication proxy for AAA services. To enable authorization and define the authorization methods, complete the following steps:

SUMMARY STEPS

1.    enable


2.    configure terminal


3.    aaa new-model


4.    aaa authentication login default method1[ method2]


5.    aaa authorization auth-proxy default


6.    aaa accounting auth-proxy default start-stop group tacacs+


7.    tacacs-server host hostname


8.    tacacs-server key key


9.    access-list access-list-number

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 3	aaa new-model Example: Device(config)# aaa new-model	Enables the AAA functionality on the device.
Step 4	aaa authentication login default method1[ method2] Example: Device(config)# aaa authentication login default TACACS+ RADIUS	Defines the list of authentication methods at login.
Step 5	aaa authorization auth-proxy default Example: Device(config)# aaa authorization auth-proxy default	The auth-proxy keyword enables authentication proxy for AAA methods.
Step 6	aaa accounting auth-proxy default start-stop group tacacs+ Example: Device(config)# aaa accounting auth-proxy default start-stop group tacacs+	Activates authentication proxy accounting. The auth-proxy keyword sets up the authorization policy as dynamic ACLs that can be downloaded.
Step 7	tacacs-server host hostname Example: Device(config)# tacacs-server host host1	Specifies an AAA server. For RADIUS servers, use the radius server host command.
Step 8	tacacs-server key key Example: Device(config)# tacacs-server key key1	Sets the authentication and encryption key for communications between the device and the AAA server. For RADIUS servers use the radius server key command.
Step 9	access-list access-list-number Example: Device(config)# access-list accesslist1	Creates an ACL entry to allow the AAA server to return traffic to the firewall.

What to Do Next

In addition to configuring AAA on the firewall device, the authentication proxy requires a per-user access profile configuration on the AAA server. To support the authentication proxy, configure the AAA authorization service auth-proxy on the AAA server as outlined here:

• Define a separate section of authorization for the auth-proxy keyword to specify the downloadable user profiles. This keyword does not interfere with other type of services, such as EXEC. The following example shows a user profile on a TACACS server:

default authorization = permit
key = cisco
user = newuser1 {
login = cleartext cisco
service = auth-proxy
{
priv-lvl=15
proxyacl#1="permit tcp any any eq 26"
proxyacl#2="permit icmp any host 10.0.0.2”
proxyacl#3="permit tcp any any eq ftp"
proxyacl#4="permit tcp any any eq ftp-data"
proxyacl#5="permit tcp any any eq smtp"
proxyacl#6="permit tcp any any eq telnet"
}
}

• The only supported attribute in the AAA server user configuration is proxyacl#n.Use the proxyacl#n attribute when configuring the access lists in the profile. The attribute proxyacl#n is for both RADIUS and TACACS+ attribute-value (AV) pairs.
• The privilege level must be set to 15 for all users.
• The access lists in the user profile on the AAA server must have access commands that contain only the permitkeyword.
• Set the source address to the anykeyword in each of the user profile access list entries. The source address in the access lists is replaced with the source address of the host making the authentication proxy request when the user profile is downloaded to the firewall.
• The supported AAA servers are:

  • CiscoSecure ACS 2.1.x for Windows NT
  • CiscoSecure ACS 2.3 for Windows NT
  • CiscoSecure ACS 2.2.4 for UNIX
  • CiscoSecure ACS 2.3 for UNIX
  • TACACS+ server (vF4.02.alpha)
  • Ascend RADIUS server radius-980618 (required attribute-value pair patch)
  • Livingston RADIUS server (v1.16)

What to Do Next

What to Do Next

In addition to configuring AAA on the firewall device, the authentication proxy requires a per-user access profile configuration on the AAA server. To support the authentication proxy, configure the AAA authorization service auth-proxy on the AAA server as outlined below.

Define a separate section of authorization for the auth-proxy keyword to specify the downloadable user profiles. This keyword does not interfere with other type of services, such as EXEC.

The following example shows a user profile on a TACACS server:

default authorization = permit
key = cisco
user = newuser1 {
login = cleartext cisco
service = auth-proxy
{
priv-lvl=15
proxyacl#1="permit tcp any any eq 26"
proxyacl#2="permit icmp any host 10.0.0.2”
proxyacl#3="permit tcp any any eq ftp"
proxyacl#4="permit tcp any any eq ftp-data"
proxyacl#5="permit tcp any any eq smtp"
proxyacl#6="permit tcp any any eq telnet"
}
}

Note the following points:

• The only supported attribute in the AAA server user configuration is proxyacl#n.Use the proxyacl#n attribute when configuring the access lists in the profile. The attribute proxyacl#n is for both RADIUS and TACACS+ attribute-value (AV) pairs.
• The privilege level must be set to 15 for all users.
• The access lists in the user profile on the AAA server must have access commands that contain only the permit keyword.
• Set the source address to the any keyword in each of the user profile access list entries. The source address in the access lists is replaced with the source address of the host making the authentication proxy request when the user profile is downloaded to the firewall.
• The supported AAA servers are:

  • CiscoSecure ACS 2.1.x for Windows NT
  • CiscoSecure ACS 2.3 for Windows NT
  • CiscoSecure ACS 2.2.4 for UNIX
  • CiscoSecure ACS 2.3 for UNIX
  • TACACS+ server (vF4.02.alpha)
  • Ascend RADIUS server radius-980618 (required attribute-value pair patch)
  • Livingston RADIUS server (v1.16)

Configuring the HTTP Server for Authentication Proxy

This task is used to enable the HTTP server on the firewall and configure the HTTP server’s AAA authentication method for authentication proxy.

SUMMARY STEPS

1.    enable


2.    configure terminal


3.    ip http server


4.    ip http access-class access-list-number

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 3	ip http server Example: Device# ip http server	Enables the HTTP server on the device.
Step 4	ip http access-class access-list-number Example: Device(config)# ip http access-class 20	Specifies the access list for the HTTP server.

Configuring the Authentication Proxy

SUMMARY STEPS

1.    enable


2.    configure terminal


3.    ip auth-proxy auth-cache-time min


4.    ip auth-proxy auth-proxy-banner


5.    ip auth-proxy name auth-proxy-name http [auth-cache-time min] [list {acl acl-name} ]


6.    interface type number


7.    ip auth-proxy auth-proxy-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Device# configure terminal	Enters global configuration mode.
Step 3	ip auth-proxy auth-cache-time min Example: Device(config)# ip auth-proxy auth-cache-time 5	(Optional) Sets the global authentication proxy idle timeout value in minutes.
Step 4	ip auth-proxy auth-proxy-banner Example: Device(config)# ip auth-proxy auth-proxy-banner	(Optional) Displays the name of the firewall router in the authentication proxy login page. The banner is disabled by default.
Step 5	ip auth-proxy name auth-proxy-name http [auth-cache-time min] [list {acl acl-name} ] Example: Device(config)# ip auth-proxy name HQ_users http	Creates authentication proxy rules.
Step 6	interface type number Example: Device(config)# interface Ethernet0/0	Enters interface configuration mode by specifying the interface type and number on which to apply the authentication proxy.
Step 7	ip auth-proxy auth-proxy-name Example: Device(config-if)# ip auth-proxy HQ_users http	Applies the named authentication proxy rule at the interface.

Verifying Authentication Proxy

• Checking the Authentication Proxy Configuration
• Displaying the User Authentication Entries
• Establishing User Connections with JavaScript
• Establishing User Connections Without JavaScript

Checking the Authentication Proxy Configuration

SUMMARY STEPS

1.    enable


2.    show ip auth-proxy configuration

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	show ip auth-proxy configuration Example: Device# show ip auth-proxy configuration	Displays the authentication proxy configuration.

Example: Checking the Authentication Proxy Configuration

In the following example, the global authentication proxy idle timeout value is set to 60 minutes, the named authentication proxy rule is “pxy”, and the idle timeout value for this named rule is one minute. The display shows that no host list is specified, meaning that all connections initiating HTTP traffic at the interface are subject to the authentication proxy rule.

Device# show ip auth-proxy configuration

Authentication cache time is 60 minutes
Authentication Proxy Rule Configuration
Auth-proxy name pxy
http list not specified auth-cache-time 1 minutes

Displaying the User Authentication Entries

SUMMARY STEPS

1.    enable


2.    show ip auth-proxy cache

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	show ip auth-proxy cache Example: Device# show ip auth-proxy cache	Displays the list of user authentication entries.

Example: Displaying the User Authentication Entries

The authentication proxy cache lists the host IP address, the source port number, the timeout value for the authentication proxy, and the state of the connection. If the authentication proxy state is HTTP_ESTAB, the user authentication was successful.

Device# show ip auth-proxy cache

Authentication Proxy Cache
 Client IP 192.168.25.215 Port 57882, timeout 1, state HTTP_ESTAB

Wait for one minute, which is the timeout value for this named rule, and ask the user to try the connection again. After one minute, the user connection is denied because the authentication proxy has removed the user’s authentication entry and any associated dynamic ACLs. The user is presented with a new authentication login page and must log in again to gain access through the firewall.

Establishing User Connections with JavaScript

To establish user connections using the authentication proxy with JavaScript enabled on the client browser, follow this procedure.

SUMMARY STEPS

1.    From a client host, initiate an HTTP connection through the firewall. This generates the authentication proxy login page.

2.    At the authentication proxy login page, enter a username and password.

3.    Click OK to submit the username and password to the AAA server.

DETAILED STEPS

---

Step 1	From a client host, initiate an HTTP connection through the firewall. This generates the authentication proxy login page.
Step 2	At the authentication proxy login page, enter a username and password.
Step 3	Click OK to submit the username and password to the AAA server. A popup window appears indicating whether the login attempt succeeded or failed. If the authentication is successful, the connection is completed automatically. If the authentication fails, the authentication proxy reports the failure to the user and prompts the user with multiple retries.

---

What to Do Next

Note	If the authentication attempt is unsuccessful after five attempts, the user must wait two minutes and initiate another HTTP session to trigger authentication proxy.

Establishing User Connections Without JavaScript

To ensure secure authentication, the authentication proxy design requires JavaScript. You can use the authentication proxy without enabling JavaScript on the browser, but this poses a potential security risk if users do not properly establish network connections. The following procedure provides the steps to properly establish a connection with JavaScript disabled. Network administrators are strongly advised to instruct users on how to properly establish connections using the procedure in this section.

Note	Failure to follow this procedure can cause user credentials to be passed to a network web server other than the authentication proxy or can cause the authentication proxy to reject the login attempt.

To verify client connections using the authentication proxy when JavaScript is not enabled on the client browser, follow this procedure:

SUMMARY STEPS

1.    Initiate an HTTP connection through the firewall.

2.    From the authentication proxy login page at the client, enter the username and password.

3.    Click OK to submit the username and password to the AAA server.

4.    If the popup window displays a failed authentication message, click Close on the browser File menu.

5.    From the original authentication login page, click Reload (Refresh for Internet Explorer) on the browser toolbar. The user login credentials are cleared from the form.

6.    Enter the username and password again.

7.    Click Close on the browser File menu.

8.    From the original authentication proxy login page, click Reload (Refresh for Internet Explorer) on the browser toolbar.

DETAILED STEPS

---

Step 1	Initiate an HTTP connection through the firewall. This generates the authentication proxy login page.
Step 2	From the authentication proxy login page at the client, enter the username and password.
Step 3	Click OK to submit the username and password to the AAA server. A popup window appears indicating whether the login attempt succeeded or failed. If the popup window indicates successful authentication, go to Step7.
Step 4	If the popup window displays a failed authentication message, click Close on the browser File menu. Note    Do not click Reload (Refresh for Internet Explorer) to close the popup window.
Step 5	From the original authentication login page, click Reload (Refresh for Internet Explorer) on the browser toolbar. The user login credentials are cleared from the form. Note    Do not click OK. You must click Reload or Refresh to clear the username and password and to reload the form before attempting to log in again.
Step 6	Enter the username and password again. If the authentication is successful, a window appears displaying a successful authentication message. If the window displays a failed authentication message, go to Step 4.
Step 7	Click Close on the browser File menu.
Step 8	From the original authentication proxy login page, click Reload (Refresh for Internet Explorer) on the browser toolbar. The authentication proxy completes the authenticated connection with the web server.

---

Monitoring and Maintaining Authentication Proxy

• Displaying Dynamic ACL Entries
• Deleting Authentication Proxy Cache Entries

Displaying Dynamic ACL Entries

You can display dynamic access list entries when they are in use. After an authentication proxy entry is cleared by you or by the idle timeout parameter, you can no longer display it. The number of matches displayed indicates the number of times the access list entry was hit.

To view dynamic access lists and any temporary access list entries that are currently established by the authentication proxy, complete the following steps.

SUMMARY STEPS

1.    enable


2.    show ip access-lists

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	show ip access-lists Example: Device# show ip access-lists	Displays the standard and extended access lists configured on the firewall, including dynamic ACL entries.

Example: Displaying Dynamic ACL Entries

Consider the following example where ACL 105 is applied inbound at the input interface where you configure authentication proxy. The initial display shows the contents of the ACLs prior to authentication. The second display shows the same displays after user authentication with the AAA server.

Note

If NAT is configured, the show ip access-lists command might display the translated host IP address for the dynamic ACL entry or the IP address of the host initiating the connection. If the ACL is applied on the NAT outside interface, the translated address is displayed. If the ACL is applied on the NAT inside interface, the IP address of the host initiating the connection is displayed. The show ip auth-proxy cache command always displays the IP address of the host initiating the connection.

For example, the following is a list of ACL entries prior to the authentication proxy:

Device# show ip access-lists
    .
    .
    .
Extended IP access list 105
 deny tcp any any eq telnet
 deny udp any any
 permit tcp any any (28 matches)
 permit ip any any

The following sample output shows a list of ACL entries following user authentication:

Device# show ip access-lists
    .
    .
    .
Extended IP access list 105
! The ACL entries following user authentication are shown below.
 permit tcp host 192.168.25.215 any eq 26
 permit icmp host 192.168.25.215 host 10.0.0.2
 permit tcp host 192.168.25.215 any eq telnet
 permit tcp host 192.168.25.215 any eq ftp
 permit tcp host 192.168.25.215 any eq ftp-data
 permit tcp host 192.168.25.215 any eq smtp
 deny tcp any any eq telnet
 deny udp any any
 permit tcp any any (76 matches)
 permit ip any any

Deleting Authentication Proxy Cache Entries

When the authentication proxy is in use, dynamic access lists dynamically grow and shrink as authentication proxy cache entries are added and deleted. To manually delete an authentication proxy cache entry, complete the following steps.

SUMMARY STEPS

1.    enable


2.    clear ip auth-proxy cache {* | host-ip-address}

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	clear ip auth-proxy cache {* | host-ip-address} Example: Device# clear ip auth-proxy cache *	Deletes authentication proxy entries from the firewall before they time out. Enter an asterisk to delete all authentication cache entries. Enter a specific IP address to delete an entry for a single host.

Configuration Examples for Authentication Proxy

Example: Authentication Proxy Configuration

The following examples highlight the specific authentication proxy configuration entries. These examples do not represent a complete configuration. Complete configurations using the authentication proxy are included later in this module.

• Example: AAA Configuration
• Example: HTTP Server Configuration
• Example: Authentication Proxy Configuration
• Example: Interface Configuration

Example: AAA Configuration

aaa new-model
aaa authentication login default group tacacs group radius
! Set up the aaa new model to use the authentication proxy.
aaa authorization auth-proxy default group tacacs group radius
! Define the AAA servers used by the router.
aaa accounting auth-proxy default start-stop group tacacs+
! Set up authentication proxy with accounting.
tacacs-server host 172.31.54.143 
tacacs-server key cisco
radius-server host 172.31.54.143
radius-server key cisco

Example: HTTP Server Configuration

! Enable the HTTP server on the router.
ip http server
! Set the HTTP server authentication method to AAA.
ip http authentication aaa
! Define standard access list 61 to deny any host.
access-list 61 deny any 
! Use ACL 61 to deny connections from any host to the HTTP server.
ip http access-class 61

Example: Authentication Proxy Configuration

! Set the global authentication proxy timeout value.
ip auth-proxy auth-cache-time 60
! Apply a name to the authentication proxy configuration rule.
ip auth-proxy name HQ_users http

Example: Interface Configuration

! Apply the authentication proxy rule at an interface.
interface ethernet0 
ip address 10.1.1.210 255.255.255.0
ip auth-proxy HQ_users

Example: Authentication Proxy, IPsec, and CBAC Configuration

The following example shows a configuration with the authentication proxy, IPsec, and CBAC features enabled. The figure below illustrates the configuration.

Figure 6. Authentication Proxy, IPsec, and CBAC Configuration Example

In this example, Host A initiates an HTTP connection with the web server (WWW). The HTTP traffic between Device 1 and Device 2 is encrypted using IPsec. The authentication proxy, IPsec, and CBAC are configured at Serial interface 0 on Device 2, which is acting as the firewall. ACL 105 blocks all traffic at interface Serial0. ACL 102 is applied at Ethernet interface 0 on Device 2 to block all traffic on that interface except traffic from the AAA server.

When Host A initiates an HTTP connection with the web server, the authentication proxy prompts the user at Host A for a username and password. These credentials are verified with the AAA server for authentication and authorization. If authentication is successful, the per-user ACLs are downloaded to the firewall to permit services.

• Example: Device 1 Configuration
• Example: Device 2 Configuration

Example: Device 1 Configuration

! Configure Device 1 for IPSec.
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Device1
!
logging buffered 4096 debugging
no logging console
enable secret 5 $1$E0OB$AQF1vFZM3fLr3LQAOsudL/
enable password junk
!
username Device2 password 0 welcome
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco1234 address 10.0.0.2       
!
crypto ipsec transform-set rule_1 ah-sha-hmac esp-des esp-sha-hmac 
!
!
 crypto map testtag 10 ipsec-isakmp   
 set peer 10.0.0.2
 set transform-set rule_1 
 match address 155
!
interface Ethernet0/0
 ip address 192.168.23.2 255.255.255.0
 no ip directed-broadcast
 no ip route-cache
 no ip mroute-cache
!
interface Serial3/1
 ip address 10.0.0.1 255.0.0.0
 no ip directed-broadcast
 encapsulation PPP
 ip route-cache
 no ip mroute-cache
 no keepalive
 no fair-queue
 clockrate 56000
 crypto map testtag
!
!
ip classless
ip route 192.168.123.0 255.255.255.0 10.0.0.2
! Identify the IPSec specific traffic.
access-list 155 permit tcp host 192.168.23.13 host 192.168.123.14 eq www
access-list 155 permit tcp host 192.168.23.13 eq www host 192.168.123.14

Example: Device 2 Configuration

! Configure Device 2 as the firewall, using the authentication proxy, IPSec, and CBAC.
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Device2
!
logging buffered 4096 debugging
aaa new-model
aaa authentication login default group tacacs
aaa authentication login console_line none
aaa authentication login special none
aaa authentication ppp default group tacacs
aaa authorization exec default group tacacs
! Configure AAA for the authentication proxy.
aaa authorization auth-proxy default group tacacs+
enable password junk
!
! Create the CBAC inspection rule HTTP_TEST.
ip inspect name rule22 http
ip inspect name rule22 tcp
ip inspect name rule22 ftp
ip inspect name rule22 smtp
!
! Create the authentication proxy rule PXY.
ip auth-proxy name pxy http
! Turn on display of the device name in the authentication proxy login page.
ip auth-proxy auth-proxy-banner
ip audit notify log
ip audit po max-events 100
!
! Configure IPSec.
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key cisco1234 address 10.0.0.1       
!
crypto ipsec transform-set rule_1 ah-sha-hmac esp-des esp-sha-hmac 
!
 crypto map testtag 10 ipsec-isakmp   
 set peer 10.0.0.1
 set transform-set rule_1 
 match address 155
!
! Apply the CBAC inspection rule and the authentication proxy rule at serial interface 0/0
! 
interface Serial0/0
 ip address 10.0.0.2 255.0.0.0
 ip access-group 105 in
 no ip directed-broadcast
 ip inspect rule22 in
 ip auth-proxy pxy
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 no keepalive
 no fair-queue
crypto map testtag
!
interface Ethernet0/1
 ip address 192.168.123.2 255.255.255.0
 ip access-group 102 in
 no ip directed-broadcast
 ip route-cache
 no ip mroute-cache
!
no ip classless
ip route 192.168.23.0 255.255.255.0 10.0.0.1
ip route 192.168.50.0 255.255.255.0 16.0.0.1
! Configure the HTTP server.
ip http server
ip http access-class 15
ip http authentication aaa
!
! Create ACL 15 to block all traffic for the http server.
access-list 15 deny any
! Create ACL 102 to block all traffic inbound on Ethernet interface 0/1 except for 
! traffic from the AAA server.
access-list 102 permit tcp host 192.168.123.20 eq tacacs host 192.168.123.2
access-list 102 deny   tcp any any
access-list 102 deny   udp any any
access-list 102 permit ip any any
! Create ACL 105 to block all traffic inbound on Serial interface 0/0. Permit only IP
! protocol traffic.
access-list 105 deny   tcp any any
access-list 105 deny   udp any any
access-list 105 permit ip any any
! Identify the IPSec specific traffic.
access-list 155 permit tcp host 192.168.123.14 host 192.168.23.13 eq www
access-list 155 permit tcp host 192.168.123.14 eq www host 192.168.23.13
!
! Define the AAA server host and encryption key.
tacacs-server host 192.168.123.14
tacacs-server key cisco
!
line con 0
 exec-timeout 0 0
 login authentication special
 transport input none
line aux 0
 transport input all
 speed 38400
 flowcontrol hardware
line vty 0 4
 password lab

Example: Authentication Proxy, IPsec, NA,T and CBAC Configuration

The following is a sample configuration with the authentication proxy, IPsec, NAT, and CBAC features enabled. The figure below illustrates the configuration.

Figure 7. Authentication Proxy, IPsec, NAT, and CBAC Configuration Example

In this example, Host A initiates an HTTP connection with the web server (WWW). The HTTP traffic between device 1 (BRI interface 0) and device 2 (Serial interface 2) is encrypted using IPsec. The authentication proxy is configured on device 2, which is acting as the firewall. The authentication proxy, NAT, and CBAC are configured at Serial interface 2, which is acting as the firewall. ACL 105 blocks all traffic at Serial interface 2. ACL 102 is applied at Ethernet interface 0 on device 2 to block all traffic on that interface except traffic from the AAA server. In this example, the authentication proxy uses standard ACL 10 to specify the hosts using the Authentication Proxy feature.

When any host in ACL 10 initiates an HTTP connection with the web server, the authentication proxy prompts the user at that host for a username and password. These credentials are verified with AAA server for authentication and authorization. If authentication is successful, the per-user ACLs are downloaded to the firewall to permit services.

• Example: Device 1 Configuration
• Example: Device 2 Configuration

Example: Device 1 Configuration

! Configure device 1 for IPSec.
version 12.0
 service timestamps debug uptime
 service timestamps log uptime
 no service password-encryption
 !
 hostname Device1
 !
 logging buffered 4096 debugging
 no logging console
 !
isdn switch-type basic-5ess
 !
 crypto isakmp policy 1
  authentication pre-share
 crypto isakmp key cisco1234 address 10.0.0.2       
 crypto ipsec transform-set rule_1 ah-sha-hmac esp-des esp-sha-hmac 
 !
  !
  crypto map testtag 10 ipsec-isakmp   
  set peer 10.0.0.2
  set transform-set rule_1 
  match address 155
 !
 !
 process-max-time 200
 !
 interface BRI0
  ip address 10.0.0.1 255.0.0.0
  no ip directed-broadcast
  encapsulation ppp
  dialer idle-timeout 5000
  dialer map ip 10.0.0.2 name router2 broadcast 50006
  dialer-group 1
  isdn switch-type basic-5ess
  crypto map testtag
 ! 
 interface FastEthernet0
  ip address 192.168.50.2 255.255.255.0
  no ip directed-broadcast
 !
 ip classless
 ip route 192.168.150.0 255.255.255.0 10.0.0.2
 no ip http server
! Identify the IPSec specific traffic.
 access-list 155 permit tcp host 192.168.50.13 host 192.168.150.100 eq www
 access-list 155 permit tcp host 192.168.50.13 eq www host 192.168.150.100
 dialer-list 1 protocol ip permit
 !
 line con 0
  exec-timeout 0 0
  transport input none
 line aux 0
 line vty 0 4
  password lab
  login

Example: Device 2 Configuration

! Configure device 2 as the firewall, using the authentication proxy, IPSec, NAT, and
! CBAC.
 version 12.0
 service timestamps debug uptime
 service timestamps log uptime
 no service password-encryption
 !
 hostname device2
 !
 logging buffered 4096 debugging
 aaa new-model
 aaa authentication login default group tacacs+
 aaa authentication login console_line none
 aaa authorization exec default group tacacs+
 ! Configure AAA for the authentication proxy.
 aaa authorization auth-proxy default group tacacs+
!
 ! Create the CBAC inspection rule “rule44.”
 ip inspect name rule44 http java-list 5
 ip inspect name rule44 tcp
 ip inspect name rule44 ftp
 ip inspect name rule44 smtp
 !
 ! Create the authentication proxy rule “pxy.” Set the timeout value for rule
 ! pxy to three minutes. Standard ACL 10 is applied to the rule.
 ip auth-proxy name pxy http list 10 auth-cache-time 3
 isdn switch-type primary-5ess
 !
 ! Configure IPSec.
 crypto isakmp policy 1
  authentication pre-share
 crypto isakmp key cisco1234 address 10.0.0.1       
 !
 !
 crypto ipsec transform-set rule_1 ah-sha-hmac esp-des esp-sha-hmac 
 !
  !        
  crypto map testtag 10 ipsec-isakmp   
  set peer 10.0.0.1
  set transform-set rule_1 
  match address 155
!         
 controller T1 2/0
  framing esf
  linecode b8zs
  pri-group timeslots 1-24
!         
! Apply ACL 102 inbound at interface Ethernet0/1 and configure NAT.
interface Ethernet0/1
 ip address 192.168.150.2 255.255.255.0
 ip access-group 102 in
 no ip directed-broadcast
 ip nat inside
 no ip mroute-cache
!         
! Apply the authentication proxy rule PXY, CBAC inspection rule HTTP_TEST, NAT, and
! and ACL 105 at interface Serial2/0:23.
interface Serial2/0:23
 ip address 10.0.0.2 255.0.0.0
 ip access-group 105 in
 no ip directed-broadcast
 ip nat outside
 ip inspect rule44 in
 ip auth-proxy pxy
 encapsulation ppp
 ip mroute-cache
 dialer idle-timeout 5000
 dialer map ip 10.0.0.1 name device1 broadcast 71011
 dialer-group 1
 isdn switch-type primary-5ess
 fair-queue 64 256 0
 crypto map testtag
!         
! Use NAT to translate the Web server address.
ip nat inside source static 192.168.150.14 192.168.150.100
ip classless
ip route 192.168.50.0 255.255.255.0 10.0.0.1
! Configure the HTTP server.
ip http server
ip http access-class 15
ip http authentication aaa
!
! Create standard ACL 5 to specify the list of hosts from which to accept java applets.
! ACL 5 is used to block Java applets in the CBAC inspection rule named “rule44,” which
! is applied at interface Serial2/0:23.
access-list 5 permit any
! Create standard ACL 10 to specify the hosts using the authentication proxy. This ACL
! used in the authentication proxy rule named “PXY”, which is applied at interface
! Serial2/0:23.
access-list 10 permit any
! Create ACL 15 to block all traffic for the http server.
access-list 15 deny any
! Create extended ACL 102 to block all traffic inbound on interface Ethernet0/1
! except for traffic from the AAA server.
access-list 102 permit tcp host 192.168.150.20 eq tacacs 192.168.150.2
access-list 102 deny   tcp any any
access-list 102 deny   udp any any
access-list 102 permit ip any any
! Create extended ACL 105 to block all TCP and UDP traffic inbound on interface
! Serial2/0:23.
access-list 105 deny   tcp any any
access-list 105 deny   udp any any
access-list 105 permit ip any any
! Identify the IPSec specific traffic.
access-list 155 permit tcp host 192.168.150.100 host 192.168.50.13 eq www
access-list 155 permit tcp host 192.168.150.100 eq www host 192.168.50.13
dialer-list 1 protocol ip permit
! Define the AAA server host and encryption key.
tacacs-server host 192.168.126.14 
tacacs-server key cisco
!
line con 0
 exec-timeout 0 0
! Define the AAA server host and encryption key.
 login authentication console_line
 transport input none
 line aux 0
 line vty 0 4
 password lab
!
!
 end

Example: AAA Server User Profile

This section includes examples of the authentication proxy user profile entries on the AAA servers. The “proxyacl” entries define the user access privileges. After the user has successfully used the authentication proxy to log in, these entries are transferred to the firewall router. Each entry in the profile must specify “permit” access for the service or application. The source address in each entry is set to “any”, which is replaced with the IP address of the authenticating host when the profile is downloaded to the firewall. The privilege level must be set to 15 for all AAA users.

• Example: CiscoSecure ACS 2.3 for Windows NT
• Example: CiscoSecure ACS 2.3 for UNIX
• Example: TACACS+ Server
• Example: Livingston Radius Server
• Example: Ascend Radius Server

Example: CiscoSecure ACS 2.3 for Windows NT

This section describes how to configure authentication proxy on CiscoSecure ACS 2.3 for Windows NT. For detailed information about CiscoSecure ACS, refer to the documentation for that product.

The following sample configuration is for the TACACS+ service of CiscoSecure ACS for Windows NT.

SUMMARY STEPS

1.    Click the Interface Configuration icon and click TACACS+ (Cisco).

2.    Click the Network Configuration icon.

3.    Click the Group Setup icon.

4.    Click the User Setup icon.

5.    Click Group Setup icon again.

DETAILED STEPS

---

Step 1	Click the Interface Configuration icon and click TACACS+ (Cisco). Scroll down to New Services. Add a new service, “auth-proxy”, in the Service field. Leave the Protocol field empty. Select both the User and Group check boxes for the new service. Scoll down to Advance Configuration Options and check the Per-user Advance TACACS+ features. Click Submit.
Step 2	Click the Network Configuration icon. Click the Add Entry icon for Network Access Servers and fill in the Network Access Server Hostname, IP address, and key (the key configured on the router) fields. Select TACACS+ (Cisco) for the Authenticate Using option. Click the Submit + Restart icon.
Step 3	Click the Group Setup icon. Select a user group from the drop-down menu. Select the Users in Group check box. Select a user from the user list. In the User Setup list, scroll down to TACACS+ Settings and select the “auth-proxy” check box. Select the Custom Attributes check box. Add the profile entries (do not use single or double quotes around the entries) and set the privilege level to 15. Example: priv-lvl=15 proxyacl#1=permit tcp any any eq 26 proxyacl#2=permit icmp any host 10.0.0.2 proxyacl#3=permit tcp any any eq ftp proxyacl#4=permit tcp any any eq ftp-data proxyacl#5=permit tcp any any eq smtp proxyacl#6=permit tcp any any eq telnet Click Submit.
Step 4	Click the User Setup icon. Click List All Users. Add a username. Scoll down to User Setup Password Authentication. Select SDI SecurID Token Card from the Password Authentication drop-down menu. Select the previous configured user group 1. Click Submit.
Step 5	Click Group Setup icon again. Select the user group 1. Click Users in Group. Click Edit Settings. Click the Submit + Restart icon to make sure the latest configuration is updated and sent to the AAA server.

---

Example: CiscoSecure ACS 2.3 for UNIX

This section describes how to configure authentication proxy on CiscoSecure ACS 2.3 for UNIX. For detailed information regarding CiscoSecure ACS, refer to the documentation for that product.

To manage the CiscoSecure ACS using the Administrator program, you need a web browser that supports Java and JavaScript. You must enable Java in the browser application. You can start the Java-based CiscoSecure Administrator advanced configuration program from any of the CiscoSecure ACS Administrator web pages.

The following sample configuration procedure is for the TACACS+ service of CiscoSecure ACS 2.3 for UNIX.

SUMMARY STEPS

1.    On the CiscoSecure ACS web menu bar of the CiscoSecure ACS web interface, click Advanced and then click Advanced again.

2.    In the CiscoSecure Administrator advanced configuration program, locate and deselect Browse in the Navigator pane of the tabbed Members page.

3.    In the Navigator pane, do one of the following:

4.    Click Create Profile to display the New Profile dialog box.

5.    Make sure the Group check box is cleared.

6.    Enter the name of the user you want to create and click OK. The new user appears in the tree.

7.    Click the icon for the group or user profile in the tree that is displayed in the Navigator pane of the tabbed Members page.

8.    If necessary, in the Profile pane, click the Profile icon to expand it.

9.    Click Service-String.

10.    Click string, enter auth-proxy in the text field, and click Apply.

11.    Select the Option menu.

12.    On the Option menu, click Default Attributes.

13.    Change the attribute from Deny to Permit.

14.    Click Apply.

15.    On the Option menu, click Attribute and enter the privilege level in the text field:

16.    On the Option menu, click Attribute and enter the proxyacl entries in the text field:

17.    When you have finished making all your changes, click Submit.

DETAILED STEPS

---

Step 1	On the CiscoSecure ACS web menu bar of the CiscoSecure ACS web interface, click Advanced and then click Advanced again. The Java-based CiscoSecure Administrator advanced configuration program appears. It might require a few minutes to load.
Step 2	In the CiscoSecure Administrator advanced configuration program, locate and deselect Browse in the Navigator pane of the tabbed Members page. This displays the Create New Profile icon.
Step 3	In the Navigator pane, do one of the following: Locate and click the group to which the user will belong. If you do not want the user to belong to a group, click the [Root] folder icon.
Step 4	Click Create Profile to display the New Profile dialog box.
Step 5	Make sure the Group check box is cleared.
Step 6	Enter the name of the user you want to create and click OK. The new user appears in the tree.
Step 7	Click the icon for the group or user profile in the tree that is displayed in the Navigator pane of the tabbed Members page.
Step 8	If necessary, in the Profile pane, click the Profile icon to expand it. A list or dialog box that contains attributes applicable to the selected profile or service appears in the window at the bottom right of the screen. The information in this window changes depending on what you have selected in the Profile pane.
Step 9	Click Service-String.
Step 10	Click string, enter auth-proxy in the text field, and click Apply.
Step 11	Select the Option menu.
Step 12	On the Option menu, click Default Attributes.
Step 13	Change the attribute from Deny to Permit.
Step 14	Click Apply.
Step 15	On the Option menu, click Attribute and enter the privilege level in the text field: Example: priv-lvl=15
Step 16	On the Option menu, click Attribute and enter the proxyacl entries in the text field: Example: proxyacl#1=”permit tcp any any eq 26” Repeat this step for each additional service or protocol to add: Example: proxyacl#2=”permit icmp any host 10.0.0.2” proxyacl#3=”permit tcp any any eq ftp” proxyacl#4=”permit tcp any any eq ftp-data” proxyacl#5=”permit tcp any any eq smtp” proxyacl#6=”permit tcp any any eq telnet”
Step 17	When you have finished making all your changes, click Submit.

---

Example: TACACS+ Server

default authorization = permit
key = cisco
user = Brian {
login = cleartext cisco
service = auth-proxy
 {
  priv-lvl=15
  proxyacl#1="permit tcp any any eq 26"
  proxyacl#2="permit icmp any host 10.0.0.2
  proxyacl#3="permit tcp any any eq ftp"
  proxyacl#4="permit tcp any any eq ftp-data"
  proxyacl#5="permit tcp any any eq smtp"
  proxyacl#6="permit tcp any any eq telnet"
 }
}

Example: Livingston Radius Server

Bob Password = "cisco" User-Service-Type=Outbound-User
cisco-avpair = "auth-proxy:priv-lvl=15",
cisco-avpair = "auth-proxy:proxyacl#1=permit tcp any any eq 26",
cisco-avpair = "auth-proxy:proxyacl#2=permit icmp any host 10.0.0.2",
cisco-avpair = "auth-proxy:proxyacl#3=permit tcp any any eq ftp",
cisco-avpair = "auth-proxy:proxyacl#4=permit tcp any any eq ftp-data",
cisco-avpair = "auth-proxy:proxyacl#5=permit tcp any any eq smtp",
cisco-avpair = "auth-proxy:proxyacl#6=permit tcp any any eq telnet"

Example: Ascend Radius Server

Alice Password = "cisco" User-Service = Dialout-Framed-User
cisco-avpair = "auth-proxy:priv-lvl=15",
cisco-avpair = "auth-proxy:proxyacl#1=permit tcp any any eq 26",
cisco-avpair = "auth-proxy:proxyacl#2=permit icmp any host 10.0.0.2",
cisco-avpair = "auth-proxy:proxyacl#3=permit tcp any any eq ftp",
cisco-avpair = "auth-proxy:proxyacl#4=permit tcp any any eq ftp-data",
cisco-avpair = "auth-proxy:proxyacl#5=permit tcp any any eq smtp",
cisco-avpair = "auth-proxy:proxyacl#6=permit tcp any any eq telnet"

Additional References

Related Documents

Related Topic	Document Title
Cisco IOS commands	Cisco IOS Master Command List, All Releases
Authentication, authorization, and accounting	Authentication, Authorization, and Accounting (AAA) Configuration Guide
Access lists and the Cisco IOS Firewall	“Access Control Lists: Overview and Guidelines” module of the Security Configuration Guide: Access Control Lists publication.
Context-Based Access Control (CBAC)	“Configuring Context-Based Access Control” module of the Security Guide Publication: Context-Based Access Control Firewall
RADIUS	RADIUS Configuration Guide RADIUS Attributes Configuration Guide General RADIUS Configurations Configuration Guide
TACACS+	TACACS+ Configuration Guide

Technical Assistance

Description	Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.	http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

Feature Information for Authentication Proxy

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Table 3 Feature Information for Authentication Proxy

Feature Name	Releases	Feature Information
Cisco IOS Firewall Authentication Proxy	12.1(5)T	The Cisco IOS Firewall Authentication Proxy feature provides dynamic, per-user authentication and authorization, authenticating users against industry standard TACACS+ and RADIUS authentication protocols. Authenticating and authorizing connections by users provides more robust protection against network attacks.
Web Authentication with Critical Authentication Support	15.2(2)T	The AAA fail policy is a method for allowing a user to connect or to remain connected to the network if the AAA server is not available. AAA Fail Policy
Web Authentication Enhancements	15.2(2)T	Substitute your custom HTML pages for the four default internal HTML pages or specify a URL to which the user will be redirected upon successful authentication, effectively replacing the internal Success page. Customization of the Authentication Proxy Web Pages