Configuring authentication proxy on a firewall router involves using three variations of the ip auth-proxy command in the Global Configuration mode. Then, the same ip auth-proxy command is used in the Interface Configuration mode to apply the rule to the interface. The variations include the following commands:
ip auth-proxy auth-cache-time
ip auth-proxy auth-proxy-banner
ip auth-proxy name
ip auth-proxy (interface configuration)
Remember, the aaa authorization auth-proxy command, covered earlier, is used together with the ip auth-proxy name command covered in this section. The former enables the AAA auth-proxy feature, while the latter defines the specific rules to apply. Together, these two commands create the authorization policy to be used by the firewall.
Use the global configuration ip auth-proxy command with the auth-cache-time option to set the authentication proxy global idle timeout value. This cache idle timer monitors the length of time (in minutes) that an authentication cache entry, along with its associated dynamic user access control list entry, is managed after a period of inactivity. When that period of inactivity expires, the authentication entry and the associated dynamic access list entries are deleted.
If CBAC is also configured on the router, the auth-cache-time timeout value must be set higher than the idle timeout for any context-based access control protocols. If not, when the authentication proxy timer expires and removes the user profile and any associated dynamic user ACLs, idle connections could be monitored by CBAC. Deleting these ACL entries can cause the idle connections to hang.
The reverse isn’t a problem when the CBAC idle timeout value is shorter. CBAC always resets the idle connections whenever the CBAC idle timeout expires, which would then be before the authentication proxy removes the user profile. Use the no form of the command to restore the default. The syntax is
Rtr1(config)#ip auth-proxy auth-cache-time min
Rtr1(config)#no ip auth-proxy auth-cache-time
auth-cache-time min |
Specifies the minutes of inactivity an authentication cache entry and the associated dynamic user ACL entry will exist before being deleted. Acceptable values: 1 to 2,147,483,647 minutes. |
This command was introduced in IOS 12.0(5)T. The default value is 60 minutes.
The following example sets the authorization cache idle timeout to 20 minutes.
Rtr1(config)#ip auth-proxy auth-cache-time 20
To display a banner, such as the router name, in the authentication proxy login page, use the ip auth-proxy auth-proxy-banner command in Global Configuration mode. Use the banner-text argument to specify a customer banner other than the default. To disable the banner display, use the no form of this command. The syntax is
Rtr1(config)#ip auth-proxy auth-proxy-banner [banner-text]
Rtr1(config)#no ip auth-proxy auth-proxy-banner [banner-text]
banner-text |
(Optional) Specifies a text string to replace the default banner, which is the name of the router. This command is similar to the standard IOS message of the day (MOTD) command. The text string should be written in the following format: C banner-text C , where C is a delimiting character. This delimiting character can be any character that won’t be used in your message. |
This command was introduced in IOS 12.0(5)T. By default, the command is disabled. If the command is issued without the banner-text option, the router host name will appear.
The first example adds the router name to the display in the authentication proxy login page. The second example personalizes the message using the # as the delimiter. The show run output shows the result regardless of the delimiter selected.
Rtr1(config)#ip auth-proxy auth-proxy-banner Rtr1(config)#ip auth-proxy auth-proxy-banner # Jerri's Perimeter Router # Rtr1#show run ! ip auth-proxy auth-proxy-banner ^C Jerri's Perimeter Router ^C ip auth-proxy auth-cache-time 20 !
The ip auth-proxy name command is used to create a named authentication proxy rule. The command includes several options that increase the administrator’s ability to control access. The rule is applied to an interface on a router using the ip auth-proxy command. To create an authentication proxy rule, use the global configuration mode command ip auth-proxy name.
Use the no form of this command with a rule name to remove the specific authentication proxy rules. If no rule name is specified, the no form of this command removes all the authentication rules on the router and disables the proxy on all interfaces. The syntax is
Rtr1(config)#ip auth-proxy name auth-proxy-name http [list {acl# | acl-name}] [auth-cache-time min]
Rtr1(config)#no ip auth-proxy [name auth-proxy-name]
auth-proxy-name |
Associates a name, up to 16 alphanumeric characters long, with an authentication proxy rule. |
http |
The protocol that triggers the authentication proxy—only HTTP is supported. |
list {acl# | acl-name} |
(Optional) Uses a standard (1–99), extended (100–199), or named ACL with the authentication proxy rule to control which hosts can use the authentication proxy. Traffic not matching the ACL is blocked. If no list is specified, all HTTP traffic connections arriving at the interface are subject to authentication. |
auth-cache-time min |
(Optional) Overrides the global default authentication proxy cache timer for the named authentication proxy rule. Values can be 1 to 2,147,483,647. The default value is set by the ip auth-proxy auth-cache-time command. |
This command was introduced in IOS 12.0(5)T. Support for named and extended access lists was added with the IOS 12.2 release. Until then, only standard ACLs could be used.
The first example creates the authentication proxy rule net_users. Because no ACL is specified in the command, all connection sessions using HTTP traffic will trigger the authentication window and process.
Rtr1(config)#ip auth-proxy name net_users http
The next example creates the authentication proxy rule sales_users. The auth-cache- time 15 sets the idle timer for this rule only to 15 minutes. The “list 77” reference and related ACL defines the hosts, the 192.168.3.0 network that is allowed to authenticate. All other traffic is blocked.
Rtr1(config)#ip auth-proxy name sales_users http auth-cache-time 15 list 77 Rtr1(config)#access-list 77 permit 192.168.1.0 0.0.0.255
In this last example, the first command disables only the sales_users rule, while the last line disables the authentication proxy on all interfaces and removes any rules from the router configuration, as well as any related ACL entries.
Rtr1(config)#no ip auth-proxy name sales_users
Rtr1(config)#no ip auth-proxy
Use the interface configuration command ip auth-proxy to apply the named authentication proxy rule to a firewall interface. Connection-initiating HTTP traffic passing into the interface is intercepted for authentication if no existing authentication cache entry exists.
If no ACL is defined as part of the rule, traffic from all hosts is given the opportunity to authenticate. If an ACL is referenced in the rule, only those IP addresses of hosts that match the ACL is allowed to attempt to authenticate. Traffic from all other addresses is discarded.
Use the no form of this command with a rule name to disable that specific authentication proxy rule on the interface. If a rule isn’t specified, the no form of this command disables the authentication proxy on the interface.
Rtr1(config)#ip auth-proxy auth-proxy-name
Rtr1(config)#no ip auth-proxy [auth-proxy-name]
auth-proxy-name |
The name of the authentication proxy rule to apply to the interface. The authentication proxy rule is defined using the ip auth-proxy name auth- proxy-name command. |
This command was introduced in IOS 12.0(5)T. No default behavior or values.
This example applies the authentication proxy rule sales_users to interface Ethernet0.
Rtr1(config)#interface e0 Rtr1(config-if)#ip address 192.168.4.2 255.255.255.0 Rtr1(config-if)#ip access-group 100 in Rtr1(config-if)#ip auth-proxy sales_users Rtr1(config-if)#ip nat inside Rtr1(config-if)#no shutdown