Verify Authentication Proxy Configuration

Verify Authentication Proxy Configuration

To check the current authentication proxy configuration, use the privileged EXEC mode command show ip auth-proxy configuration.

In this example, the global authentication proxy idle timeout is 20 minutes, the named authentication proxy rule is “sales_users,” and the idle timeout value for this rule is 15 minutes. The display shows no host list is specified, meaning all connections initiating HTTP traffic at the interface are subject to the authentication proxy rule.

Rtr1#show ip auth-proxy configuration
Authentication global cache time is 20 minutes
Authentication Proxy Rule Configuration
 Auth-proxy name sales_users
 ???http list 77 auth-cache-time 15 minutes 

The auth-proxy Cache

When the authentication proxy is in use, dynamic access lists grow and shrink as temporary authentication entries are added and deleted. After users initiate HTTP connections through the router, use the privileged EXEC mode command show ip auth-proxy cache to display the list of authentication entries.

The authentication proxy cache lists the host IP address, the source port number, the timeout value for the authentication proxy, and the state of the connection. If the authentication proxy state is HTTP_ESTAB, the user authentication was successful.

Rtr1#show ip auth-proxy cache
Authentication Proxy Cache
 Client IP 192.168.1.10 Port 31219, timeout 15, state HTTP_ESTAB

Clearing the auth-proxy Cache

To clear authentication cache entries manually from the firewall before they time out, use the clear ip auth-proxy cache command in privileged EXEC mode. Use the Asterisk option to delete all authentication cache entries. Enter a specific IP address to delete an entry for a single host. The syntax is

Rtr1#clear ip auth-proxy cache {* | host-ip-address}

Displaying Dynamic ACL Entries

When the authentication proxy is in use, dynamic access list entries are added and removed as temporary authentication sessions are added and deleted. When no open sessions exist, there won’t be any dynamic entries. To display any dynamic access list entries, use the show ip access-lists command in privileged EXEC mode. The number of matches displayed in parentheses indicates the number of times the access list entry was used.

Both the idle timeout parameter and the clear ip auth-proxy cache command from the last section can cause no dynamic entries to occur in the display. The syntax to display any access lists configured on the firewall, including dynamic ACL entries, is

Rtr1# show ip access-lists

This following shows the ACL entries prior to any authentication proxy sessions.

Rtr1#show ip access-lists
Extended IP access list 160
 deny tcp any any eq telnet
 deny udp any any
 permit tcp any any (41 matches)
 permit ip any any

This next output shows the same ACL following user authentication. The first six lines represent the downloaded user profile enabling the specified features for the authenticated user. The last four lines are the same lines as in the previous example after more traffic.

Rtr1#show ip access-lists
Extended IP access list 160
permit tcp host 192.168.1.10 any eq 69
permit icmp host 192.168.1.10 host 192.168.4.2
permit tcp host 192.168.1.10 any eq telnet
permit tcp host 192.168.1.10 any eq ftp
permit tcp host 192.168.1.10 any eq ftp-data
permit tcp host 192.168.1.10 any eq smtp
deny tcp any any eq telnet
deny udp any any
permit tcp any any (76 matches)
permit ip any any

For more information, go to the Cisco web site http://www.cisco.com and search for authentication proxy. No CCO account is required.

The debug Commands

While they aren’t specifically exam objectives, the following debug commands can be useful in troubleshooting or simply watching authentication proxy processes. As with all debug commands, remember, debug can have a detrimental effect on production routers.

Rtr1#debug ip auth-proxy {function-trace}

Displays the authentication proxy functions

Rtr1#debug ip auth-proxy {http}

Displays auth-proxy–related HTTP events

The following debug commands are AAA tools but, because authentication proxy relies on AAA, they can be useful in troubleshooting.

Rtr1#debug {tacacs | radius}

Displays TACACS+ or RADIUS information.

Rtr1#debug aaa authentication

Displays information on AAA/TACACS+ authentication. Shows the methods of authentication and the results.

Rtr1#debug aaa authorization

Displays information on AAA/TACACS+ authorization. Hows the methods of authorization and the results.

CBAC Configuration

As you learned earlier in this chapter, authentication proxy does not create ACEs to support returning data traffic or data channel traffic. So, it’s necessary either to create static ACLs to allow the return traffic or to configure the CBAC inspection rules in the firewall configuration. Because static ACLs increase the network vulnerability (they’re permanent “holes” in the firewall) and the CBAC “hole” only exists as long as needed, the solution is quite simple.

Configuring CBAC with any authentication proxy implementation is the most reliable and secure method to ensure return traffic for authorized user connections through the firewall. Chapter 6 covered CBAC in detail. The following exercise shows an example of adding CBAC to the configuration after the authentication proxy is defined.




Part III: Virtual Private Networks (VPNs)