Authentication Proxy

Problem

Solution

To enable an IOS-based authentication proxy, use the following commands:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authorization auth-proxy default local
Router1(config)#ip auth-proxy auth-proxy-banner http
Router1(config)#ip auth-proxy name HTTPPROXY http
Router1(config)#ip admission auth-proxy-banner http
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip auth-proxy HTTPPROXY
Router1(config-if)#ip http server
Router1(config)#ip http authentication local
Router1(config)#end
Router1#

Discussion

Cisco authentication proxy is an intercepting proxy that requires users to authenticate before being allowed to access resources behind the proxy. Because it operates as an intercepting proxy, it means that placement of the router is vital, since it can only authenticate sessions that transverse the router. Generally, this means that the proxy must be placed at a network choke point, such as the link to the Internet, for instance.

Since Cisco authentication proxy is designed to act as an intercepting proxy, there is no need for end users to configure their browsers to point to the proxy server. The router will automatically intercept all sessions and force the end users to authenticate before they can access resources behind the proxy. The first time a user attempts to access a web site the router will present them with an authentication screen. After the user submits his correct username and password then he is free to surf as normal.

General uses for authentication proxies are Internet cafes, public wireless access providers, and organizations that wish to control access to the Internet. In all instances, users will be forced to authenticate before they'll be allowed to surf beyond the proxy. This allows an organization to tightly control network access. In addition, authentication proxies can be used to secure Intranet servers that don't have the capability to enforce authentication themselves.

To view the current proxy cache, use the following show command:

Router1#show ip auth-proxy cache   
Authentication Proxy Cache
 Client Name ijbrown, Client IP 172.25.1.52, Port 4224, timeout 60, Time Remaining 53, state ESTAB

Router1#

In this example, we can see that one user, ijbrown, has been authenticated successfully and is currently active. We can also see that the default inactivity timer is set to 60 minutes, and that our user currently has 53 minutes remaining until he'll be forced to authenticate again.

To manually force all users to authenticate again, use the following clear command:

Router1#clear ip auth-proxy cache *      
Router1#

You can view the authentication proxy's configuration by using the following show command:

 Router1#show ip auth-proxy configuration 
Authentication global cache time is 60 minutes
Authentication global absolute time is 0 minutes
Authentication Proxy Watch-list is disabled

Authentication Proxy Rule Configuration
 Auth-proxy name HTTPPROXY
    http list not specified inactivity-timer 60 minutes

Router1#

For our example, we used local authentication, which is sufficient for a small company or installation; however, for larger organizations you can also configure the authentication server to use either RADIUS or TACACS to authenticate users.

To configure an authentication proxy server with TACACS support, use the following set of commands:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authorization auth-proxy default group tacacs
Router1(config)#tacacs-server host 172.25.5.5 
Router1(config)#tacacs-server key cisco
Router1(config)#ip http server
Router1(config)#ip http authentication aaa
Router1(config)#ip auth-proxy name TESTPROXY http
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip auth-proxy TESTPROXY
Router1(config-if)#end
Router1#