|
|
This chapter describes the commands used to configure authentication proxy. The Cisco IOS Firewall authentication proxy feature allows network administrators to apply specific security policies on a per-user basis. Previously, user identity and related authorized access was associated with a user's IP address, or a single security policy had to be applied to an entire user group or subnet. Now, users can be identified and authorized on the basis of their per-user policy, and access privileges tailored on an individual basis are possible, as opposed to general policy applied across multiple users.
With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, and their specific access profiles are automatically retrieved and applied from a CiscoSecure ACS, or other RADIUS, or TACACS+ authentication server. The user profiles are active only when there is active traffic from the authenticated users.
For information on how to configure authentication proxy, refer to the "Configuring Authentication Proxy" chapter in the Cisco IOS Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the "Authentication Proxy Configuration Examples" section located at the end of the "Configuring Authentication Proxy" chapter in the Cisco IOS Security Configuration Guide.
Syntax Description
* Clears all authentication proxy entries, including user profiles and dynamic access lists. host ip address Clears the authentication proxy entry, including user profiles and dynamic access lists, for the specified host.
Command Modes
EXEC
Command History
12.0(5)T This command was introduced.
Release
Modification
Usage Guidelines
Use this command to clear entries from the translation table before they time out.
Examples
The following example deletes all authentication proxy entries:
clear ip auth-proxy cache *
The following example deletes the authentication proxy entry for the host with IP address 192.168.4.5:
clear ip auth-proxy cache 192.168.4.5
Related Commands
show ip auth-proxy cache Displays the authentication proxy entries or the running authentication proxy configuration.
Command
Description
Syntax Description
auth-proxy-name Specifies the name of the authentication proxy rule to apply to the interface configuration. The authentication proxy rule is established with the ip auth-proxy name command.
Defaults
No default behavior or values.
Command Modes
Interface configuration
Command History
12.0(5)T This command was introduced.
Release
Modification
Usage Guidelines
Use the ip auth-proxy command to enable the named authentication proxy rule at the firewall interface. Traffic passing through the interface from hosts with an IP address matching the standard access list and protocol type (HTTP) is intercepted for authentication if no corresponding authentication cache entry exists. If no access list is defined, the authentication proxy intercepts traffic from all hosts whose connection initiating packets are received at the configured interface.
Use the no form of this command with a rule name to disable the authentication proxy for a given rule on a specific interface. If a rule is not specified, the no form of this command disables the authentication proxy on the interface.
Examples
The following example configures interface Ethernet0 with the HQ_users rule:
interface e0ip address 172.21.127.210 255.255.255.0 ip access-group 111 in ip auth-proxy HQ_users ip nat inside
Related Commands
ip auth-proxy name Creates an authentication proxy rule.
Command
Description
Syntax Description
min Specifies the length of time in minutes that an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity. Enter a value in the range 1 to 2,147,483,647. The default value is 60 minutes.
Defaults
60 minutes.
Command Modes
Global configuration
Command History
12.0(5)T This command was introduced.
Release
Modification
Usage Guidelines
Use this command to set the global idle timeout value for the authentication proxy. You must set the auth-cache-time timeout value to a higher value than the idle timeout of any CBAC protocols. Otherwise, when the authentication proxy removes the user profile along associated dynamic user ACLs, there might be some idle connections monitored by CBAC. Removing these user-specific ACLs could cause those idle connections to hang. If the CBAC idle timeout value is shorter, CBAC resets these connections when the CBAC idle timeout expires, which is before the authentication proxy removes the user profile.
Examples
The following example sets the authorization cache timeout to 30 minutes:
ip auth-proxy auth-cache-time 30
Related Commands
ip auth-proxy name Creates an authentication proxy rule. show ip auth-proxy configuration Displays the authentication proxy entries or the running authentication proxy configuration.
Command
Description
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
12.0(5)T This command was introduced.
Release
Modification
Usage Guidelines
Use the ip auth-proxy auth-proxy-banner command to display the banner in the authentication proxy login page.
Examples
The following example sets the authorization cache timeout to the default value:
ip auth-proxy auth-proxy-banner
Related Commands
ip auth-proxy name Creates an authentication proxy rule.
Command
Description
Syntax Description
auth-proxy-name Associates a name with an authentication proxy rule. Enter a name of up to 16 alphanumeric characters. http Specifies the protocol that triggers the authentication proxy. The only supported protocol is HTTP. auth-cache-time min (Optional) Overrides the global authentication proxy cache timer for a specific authentication proxy name, offering more control over timeout values. Enter a value in the range 1 to 2,147,483,647. The default value is equal to the value set with the ip auth-proxy auth-cache-time command. list std-access-list (Optional) Specifies a standard access list to use with the authentication proxy. With this option, the authentication proxy is applied only to those hosts in the standard access list. If no list is specified, all connections initiating HTTP traffic arriving at the interface are subject to authentication.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
12.0(5)T This command was introduced.
Release
Modification
Usage Guidelines
This command creates a named authentication proxy rule, and it allows you to associate that rule with an access control list, providing control over which hosts use the authentication proxy. The rule is applied to an interface on a router using the ip auth-proxy command.
Use the auth-cache-time option to override the global the authentication proxy cache timer. This option provides control over timeout values for specific authentication proxy rules. The authentication proxy cache timer monitors the length of time (in minutes) that an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity. When that period of inactivity (idle time) expires, the authentication entry and the associated dynamic access lists are deleted.
Use the list option to associate a set of specific IP addresses with the ip auth-proxy name command.
Use the no form of this command with a rule name to remove the authentication proxy rules. If no rule is specified, the no form of this command removes all the authentication rules on the router, and disables the proxy at all interfaces.
 |
Note You must use the aaa authorization auth-proxy command together with the ip auth-proxy name command. Together these commands set up the authorization policy to be retrieved by the firewall. Refer to the aaa authorization auth-proxy command for more information. |
Examples
The following example creates the HQ_users authentication proxy rule. Because no standard access list is specified in the rule, all connection-initiating HTTP traffic is subjected to authentication.
ip auth-proxy name HQ_users http
The following example creates the Mfg_users authentication proxy rule and applies it to hosts specified in ACL 10:
access-list 10 192.168.7.0 0.0.0.255 ip auth-proxy name Mfg_users http list 10
The following example sets the timeout value for Mfg_users to 30 minutes:
access-list 15 any ip auth-proxy name Mfg_users http auth-cache-time 30 list 15
The following example disables the Mfg_users rule:
no ip auth-proxy name Mfg_users
The following example disables the authentication proxy at all interfaces and removes all the rules from the router configuration:
no ip auth-proxy
Related Commands
aaa authorization Sets parameters that restrict network access to a user. ip auth-proxy Applies an authentication proxy rule at a firewall interface. ip auth-proxy auth-cache-time Sets the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity). ip auth-proxy name Creates an authentication proxy rule. show ip auth-proxy configuration Displays the authentication proxy entries or the running authentication proxy configuration.
Command
Description
Syntax Description
cache Display the current list of the authentication proxy entries. configuration Display the running authentication proxy configuration.
Command Modes
EXEC
Command History
12.0(5)T This command was introduced.
Release
Modification
Usage Guidelines
Use the show ip auth-proxy to display either the authentication proxy entries or the running authentication proxy configuration. Use the cache keyword option to list the host IP address, the source port number, the timeout value for the authentication proxy, and the state for connections using authentication proxy. If authentication proxy state is HTTP_ESTAB, the user authentication was successful.
Use the show ip auth-proxy configuration command to display all authentication proxy rules configured on the router.
Examples
The following example shows sample output from the show ip auth-proxy cache command after one user authentication using the authentication proxy:
router# show ip auth-proxy cache Authentication Proxy CacheClient IP 192.168.25.215 Port 57882, timeout 1, state HTTP_ESTAB
The following example shows how the show ip auth-proxy configuration command displays the information about the authentication proxy rule pxy. The global idle timeout value is 60 minutes. The idle timeouts value for this named rule is 30 minutes. No host list is specified in the rule, meaning that all connection initiating HTTP traffic at the interface is subject to the authentication proxy rule.
router# sh ip auth-proxy configuration Authentication cache time is 60 minutes Authentication Proxy Rule Configuration Auth-proxy name pxy http list not specified auth-cache-time 30 minutes
Related Commands
clear ip auth-proxy cache Clears authentication proxy entries from the router. ip auth-proxy Applies an authentication proxy rule at a firewall interface. ip auth-proxy auth-cache-time Sets the authentication proxy idle timeout value (the length of time an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity). ip auth-proxy name Creates an authentication proxy rule.
Command
Description
Posted: Thu Aug 10 17:27:12 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.