Chapter 14. Authentication Proxy

The last chapter discussed how you can use lock-and-key to authenticate users before allowing them access through your perimeter router. As you recall, lock-and-key requires a user first to Telnet into the router to authenticate. Then the Telnet is terminated by the router, and a dynamic ACL entry is created for the user to allow traffic through the router. Lock-and-key is a nifty feature, but it does have limitations:

  • It was developed primarily for dialup use, with only one user accessing the router's interface.

  • The extended ACL applied to the interface can have only one dynamic entry, which all users must share; this makes it almost impossible to enforce per-user restrictions.

  • It requires you to Telnet into the router first, requiring a user's knowledge of the authentication process that must take place first before the user can access resources specified in the dynamic ACL entry.

To overcome these deficiencies, Cisco developed authentication proxy (AP). AP is basically lock-and-key on steroids. It provides the same basic functions as lock-and-key, but it also includes many enhancements that make it more flexible and scalable. Actually, AP and the Cisco PIX's cut-through proxy (CTP) are very similar in function. This chapter focuses on the use and configuration of this Cisco IOS Firewall feature.