To check the current authentication proxy configuration, use the privileged EXEC mode command show ip auth-proxy configuration.
In this example, the global authentication proxy idle timeout is 20 minutes, the named authentication proxy rule is “sales_users,” and the idle timeout value for this rule is 15 minutes. The display shows no host list is specified, meaning all connections initiating HTTP traffic at the interface are subject to the authentication proxy rule.
Rtr1#show ip auth-proxy configuration Authentication global cache time is 20 minutes Authentication Proxy Rule Configuration Auth-proxy name sales_users ???http list 77 auth-cache-time 15 minutes
When the authentication proxy is in use, dynamic access lists grow and shrink as temporary authentication entries are added and deleted. After users initiate HTTP connections through the router, use the privileged EXEC mode command show ip auth-proxy cache to display the list of authentication entries.
The authentication proxy cache lists the host IP address, the source port number, the timeout value for the authentication proxy, and the state of the connection. If the authentication proxy state is HTTP_ESTAB, the user authentication was successful.
Rtr1#show ip auth-proxy cache Authentication Proxy Cache Client IP 192.168.1.10 Port 31219, timeout 15, state HTTP_ESTAB
To clear authentication cache entries manually from the firewall before they time out, use the clear ip auth-proxy cache command in privileged EXEC mode. Use the Asterisk option to delete all authentication cache entries. Enter a specific IP address to delete an entry for a single host. The syntax is
Rtr1#clear ip auth-proxy cache {* | host-ip-address}
When the authentication proxy is in use, dynamic access list entries are added and removed as temporary authentication sessions are added and deleted. When no open sessions exist, there won’t be any dynamic entries. To display any dynamic access list entries, use the show ip access-lists command in privileged EXEC mode. The number of matches displayed in parentheses indicates the number of times the access list entry was used.
Both the idle timeout parameter and the clear ip auth-proxy cache command from the last section can cause no dynamic entries to occur in the display. The syntax to display any access lists configured on the firewall, including dynamic ACL entries, is
Rtr1# show ip access-lists
This following shows the ACL entries prior to any authentication proxy sessions.
Rtr1#show ip access-lists Extended IP access list 160 deny tcp any any eq telnet deny udp any any permit tcp any any (41 matches) permit ip any any
This next output shows the same ACL following user authentication. The first six lines represent the downloaded user profile enabling the specified features for the authenticated user. The last four lines are the same lines as in the previous example after more traffic.
Rtr1#show ip access-lists Extended IP access list 160 permit tcp host 192.168.1.10 any eq 69 permit icmp host 192.168.1.10 host 192.168.4.2 permit tcp host 192.168.1.10 any eq telnet permit tcp host 192.168.1.10 any eq ftp permit tcp host 192.168.1.10 any eq ftp-data permit tcp host 192.168.1.10 any eq smtp deny tcp any any eq telnet deny udp any any permit tcp any any (76 matches) permit ip any any
For more information, go to the Cisco web site http://www.cisco.com and search for authentication proxy. No CCO account is required.
While they aren’t specifically exam objectives, the following debug commands can be useful in troubleshooting or simply watching authentication proxy processes. As with all debug commands, remember, debug can have a detrimental effect on production routers.
Rtr1#debug ip auth-proxy {function-trace} |
Displays the authentication proxy functions |
Rtr1#debug ip auth-proxy {http} |
Displays auth-proxy–related HTTP events |
The following debug commands are AAA tools but, because authentication proxy relies on AAA, they can be useful in troubleshooting.
Rtr1#debug {tacacs | radius} |
Displays TACACS+ or RADIUS information. |
Rtr1#debug aaa authentication |
Displays information on AAA/TACACS+ authentication. Shows the methods of authentication and the results. |
Rtr1#debug aaa authorization |
Displays information on AAA/TACACS+ authorization. Hows the methods of authorization and the results. |
As you learned earlier in this chapter, authentication proxy does not create ACEs to support returning data traffic or data channel traffic. So, it’s necessary either to create static ACLs to allow the return traffic or to configure the CBAC inspection rules in the firewall configuration. Because static ACLs increase the network vulnerability (they’re permanent “holes” in the firewall) and the CBAC “hole” only exists as long as needed, the solution is quite simple.
Configuring CBAC with any authentication proxy implementation is the most reliable and secure method to ensure return traffic for authorized user connections through the firewall. Chapter 6 covered CBAC in detail. The following exercise shows an example of adding CBAC to the configuration after the authentication proxy is defined.