Authentication proxy (auth-proxy) is available only on Cisco
IOS Software containing the firewall feature set since version
12.0.5.T.auth-proxy can be used to authenticate inbound or outbound users, or
both, by using a web browser to pass through the firewall and authenticate on a
TACACS+ or RADIUS server. Traditional access lists are in place to block all
traffic. After authentication, the AAA server passes temporary access list
entries to the firewall router to allow predefined types of traffic.
Authentication proxy has certain requirements that must be met for
effective use of this technology in a network. This section looks briefly at
some of the system requirements, as well as the skill sets required of a network
administrator tasked with implementing and supporting Cisco secure
Client hosts must be running one the following software
for secure authentication.
Because the authentication proxy activates only on HTTP
connections, HTTP services must be running on the standard (well-known) port 80
on the firewall router.
The authentication proxy feature and related access list
entries only apply to traffic passing through the router. Any administrative
traffic with the router as the destination is authenticated by the standard
authentication methods provided by IOS software.
Authentication proxy doesn’t support concurrent use, meaning
it can’t be used for multiple users to log in from the same host device at the
same time. The authentication and authorization apply only to the first user to
submit a valid user name and password. Any others are ignored until the first
user ends their session.
Load balancing between multiple AAA servers isn’t supported.
Requests only go to any additional AAA server if the first one configured times
Because authentication proxy can use standard access lists,
how access lists are used to filter traffic before configuring the
authentication proxy is important. For more information on how to configure and
use access lists, see Chapter 2 and Appendix A.
The authentication proxy is a feature of the Cisco
Authentication, Authorization, and Accounting (AAA) strategy. It’s important to
understand how to configure AAA user authentication, authorization, and
accounting before you attempt to configure the authentication proxy. For more
information on how to configure AAA, see Chapters 3 and 4.
To create a completely secure and successful implementation
of the authentication proxy feature of the Cisco IOS Firewall, you must
configure CBAC on the firewall. CBAC features are typically required to allow
filtering of protocols permitted by the downloadable user profiles. For more
information on configuring and using the CBAC features, see Chapter 6.
Cisco suggests the following tips for implementing the auth-proxy
features to reduce the impact on the existing network and the variables
involved. This makes it easier to see if the process is being implemented as
defined in the security policy.
Confirm that traffic is flowing properly through the
firewall before configuring auth-proxy. Remember, other firewall features exist,
such as ACLs and CBAC, that can restrict traffic flow.
To reduce disruption of the network during testing, modify
any existing access list or add an access list to deny access to only one test
Confirm that only the one test client can’t get through the
firewall and that all other hosts can pass through.
Add the exec-timeout 0 0 command under the
console port (line con 0) and/or virtual type terminals (line vty 0 4) to
prevent your sessions from timing out while you’re busy on other devices or
reading online documentation. The first 0 is minutes, the second 0 is seconds:
exec-timeout 20 30 would set the idle timer to 20 1/2 minutes. The 0 0
combination turns off the idle timer.