The authentication proxy is user authentication and authorization technology, which is a part of Cisco IOS Firewall feature set. The feature is supported on a growing list of platforms using the latest IOS versions (12.2), including the SOHO 70, 800, uBR900, 1720, 2600, 3600, 7100, 7200, and 7500 series routers. Earlier versions won’t support the feature on the smaller units (SOHO 70 to 1720s). Authentication proxy is compatible with other Cisco IOS security features, such as NAT, CBAC, IPSec encryption, and VPN client software.
The Cisco IOS Firewall authentication proxy feature allows network administrators to implement security policies on a per-user basis through personalized ACLs. Without firewall authentication proxy, user identity and any authorized access was associated with a user’s IP address. Any single security policy had to be applied to an entire user group or subnet. Now, users can be identified and authorized on the basis of their per-user policy, and any access privileges can be customized, based on their individual access profiles.
With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, and their specific access profiles are automatically retrieved and applied from a Cisco Secure ACS, or other RADIUS or TACACS+ authentication server. The user profiles and the resulting temporary ACL entries are active only while active traffic exists from the authenticated user. By default, the temporary openings close after 60 minutes of inactivity.
The authentication proxy feature requires that an AAA server running Cisco Secure Access Control Server (ACS) be present on the network. Configuring the AAA server to enable the features is necessary.
Next, the router running the firewall feature set, typically the perimeter router, must be configured by performing the following tasks:
Configuring AAA support (required)
Configuring the HTTP server feature (required)
Configuring the Authentication Proxy (required)
Verifying the Authentication Proxy (optional, but valuable)
Skipping the optional verifying is done only at risk to the resources you’re charged to protect.
1.? |
What protocol does the authentication proxy use to trigger an authentication session?
|
|
2.? |
Which two protocol authentication servers can be used with authentication proxy?
|
|
3.? |
Authentication proxy allows how many attempts to enter a valid user name and password?
|
|
4.? |
True or False. User profile entries stored on the AAA server are made up of permit and deny statements used to create temporary ACL entries on the firewall router.
|
|
5.? |
In the temporary ACL entry permit icmp host 192.168.1.10 host 192.168.4.2, which address probably represents the authenticated user?
|
|
6.? |
True or False. Authentication proxy is supported on all router platforms since v12.2.
|
|
7.? |
In the ip auth-proxy auth-cache-time units command, what are the idle timer units?
|
|
8.? |
Which technology does authentication proxy use to provide secure authentication?
|
|
9.? |
According to the text, which of the following is the reason to configure CBAC with authentication proxy?
|
|
10.? |
The IOS Firewall authentication proxy feature works with which technology?
|
|
11.? |
What additional IOS feature allows the authentication proxy to work with NAT services?
|
|
12.? |
Which command is not a step in setting up an IOS Firewall authentication proxy?
|
|
13.? |
How many open sessions does authentication proxy support before refusing additional sessions?
|
|
14.? |
When creating the inbound ACL on the firewall for authentication proxy, all traffic is typically blocked except which one of the following that’s absolutely required?
|
|
15.? |
When configuring the authentication proxy features, all commands are variations of which of the following?
|
|
Answers
1.? |
D. HTTP |
2.? |
C. and D. RADIUS and TACACS+ |
3.? |
C. Five tries |
4.? |
B. False. User profiles contain only permit statements. |
5.? |
A. 192.168.1.10 |
6.? |
A. False. IOS versions (12.2) support authentication proxy on the SOHO 70, 800, uBR900, 1720, 2600, 3600, 7100, 7200, and 7500 series routers. |
7.? |
C. Minutes (default 60) |
8.? |
C. JavaScript |
9.? |
C. Authentication proxy does not create ACEs to support returning data traffic. |
10.? |
C. HTTP sessions |
11.? |
B. CBAC |
12.? |
D. Configuring CBAC |
13.? |
B. 40 |
14.? |
C. Return traffic from the AAA server |
15.? |
B. Rtr1(config)#ip auth-proxy auth |