Unlike many Cisco IOS Firewall features that operate
transparently to the user, the authentication proxy feature requires some user
interaction on the client host. When a user, using a web browser, initiates an
HTTP session through a firewall configured to support the authentication proxy,
the process is triggered. The first thing the authentication proxy checks is to
see if the user has already been authenticated. If so, the connection is
completed without further intervention. But, if no valid authentication entry
exists, the authentication proxy responds by providing a screen that prompts the
user for a user name and a password. Figure 8-1 shows the message that greets the
Figure 8-1: Authentication proxy login
In the sample, the Rtr1 text is the host name
defined for the firewall router. The rest of the text might vary slightly with
the version of Cisco Secure ACS and the operating system (OS) platform.
The users must successfully authenticate by supplying a valid user
name and password combination recognized by the defined authentication server.
8-2 shows a successful attempt response.
Figure 8-2: Authentication successful attempt
If the authentication attempt failed, the authentication proxy
would display a message stating Authentication Failed! and then prompt the user
for retries. After five failed attempts to authenticate, the user would wait two
minutes, and then would have to initiate another HTTP session to trigger