Configuration Steps
The following steps walk you through the configuration of auth-proxy:
| Step 1. | Configure AAA (required) on the router: Router#show running-configuration
aaa new-model
aaa authentication login default tacacs+ | radius
aaa authorization auth-proxy default tacacs+ | radius
tacacs-server host hostname | ip-address
tacacs-server key string
radius-server host hostname | ip-address
radius-server key string
|
|
|
| Step 2. | Configure the user's profile in the TACACS+ or RADIUS server. The output that follows is a sample profile output in TACACS+ in Cisco Secure ACS Unix. This same syntax can be mapped to Cisco Secure ACS on Windows. It is shown in Cisco Secure ACS Unix to show the syntax in the text. default authorization = permit
key = cisco
user = newuser1 {
login = cleartext cisco
service = auth-proxy
{
priv-lvl=15
proxyacl#1="permit tcp any any eq 26"
proxyacl#2="permit icmp any host 60.0.0.2"
proxyacl#3="permit tcp any any eq smtp"
proxyacl#4="permit tcp any any eq telnet"
}
}
The RADIUS protocol has a similar profile: user = proxy{
radius=Cisco {
check_items= {
2="proxy"
}
reply_attributes= {
9,1="auth-proxy:priv-lvl=15"
9,1="auth-proxy:proxyacl#1=permit icmp any any"
9,1="auth-proxy:proxyacl#2=permit tcp any any"
9,1="auth-proxy:proxyacl#3=permit udp any any"
}
}
}
|
| Step 3. | Configure the HTTP Server (required) Router#show running-config
ip http server
/* Enables the HTTP server on the router.*/
ip http authentication aaa
/* Sets authentication to follow aaa rules */
ip http access-class access-list-number
/* ACL to control access to HTTP Server */
|
|
|
| Step 4. | Configure the authentication proxy (required). First, you must turn on auth-proxy as follows: Router#show running-config
....
! Sets the proxy idle timeout, def. 60 minutes.
ip auth-proxy auth-cache-time min
! Displays the name of the firewall router in the authentication proxy login
! page.
ip auth-proxy auth-proxy-banner
! Defines the AuthProxy rule. Only hosts matching the ACL will be intercepted.
ip auth-proxy name auth-proxy-name http [auth-cache-time min] [list std-access-list]
! Apply auth-proxy on the interface.
interface type number
ip auth-proxy auth-proxy-name
A complete configuration of auth-proxy is shown in Example 5-22 |