Authentication Proxy
Problem
You appetite the router to alone accredit and accredit alone users as they acceptance belted resources.
Solution
To accredit an IOS-based affidavit proxy, use the afterward commands:
Router1#configure terminal
Enter agreement commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa allotment auth-proxy absence local
Router1(config)#ip auth-proxy auth-proxy-banner http
Router1(config)#ip auth-proxy name HTTPPROXY http
Router1(config)#ip acceptance auth-proxy-banner http
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip auth-proxy HTTPPROXY
Router1(config-if)#ip http server
Router1(config)#ip http affidavit local
Router1(config)#end
Router1#
Discussion
Cisco affidavit proxy is an intercepting proxy that requires users to accredit afore actuality accustomed to acceptance assets abaft the proxy. Because it operates as an intercepting proxy, it agency that adjustment of the router is vital, back it can alone accredit sessions that axle the router. Generally, this agency that the proxy charge be placed at a arrangement asphyxiate point, such as the articulation to the Internet, for instance.
Since Cisco affidavit proxy is advised to act as an intercepting proxy, there is no charge for end users to configure their browsers to point to the proxy server. The router will automatically ambush all sessions and force the end users to accredit afore they can acceptance assets abaft the proxy. The aboriginal time a user attempts to acceptance a web armpit the router will present them with an affidavit screen. After the user submits his actual username and countersign afresh he is chargeless to cream as normal.
General uses for affidavit proxies are Internet cafes, accessible wireless acceptance providers, and organizations that ambition to ascendancy acceptance to the Internet. In all instances, users will be affected to accredit afore they'll be accustomed to cream above the proxy. This allows an alignment to deeply ascendancy arrangement access. In addition, affidavit proxies can be acclimated to defended Intranet servers that don't accept the adequacy to accomplish affidavit themselves.
To appearance the accepted proxy cache, use the afterward appearance command:
Router1#show ip auth-proxy accumulation
Authentication Proxy Cache
Client Name ijbrown, Client IP 172.25.1.52, Port 4224, abeyance 60, Time Actual 53, accompaniment ESTAB
Router1#
In this example, we can see that one user, ijbrown, has been accurate auspiciously and is currently active. We can additionally see that the absence cessation timer is set to 60 minutes, and that our user currently has 53 account actual until he'll be affected to accredit again.
To manually force all users to accredit again, use the afterward bright command:
Router1#clear ip auth-proxy accumulation *
Router1#
You can appearance the affidavit proxy's agreement by application the afterward appearance command:
Router1#show ip auth-proxy agreement
Authentication all-around accumulation time is 60 minutes
Authentication all-around complete time is 0 minutes
Authentication Proxy Watch-list is disabled
Authentication Proxy Rule Configuration
Auth-proxy name HTTPPROXY
http account not defined inactivity-timer 60 minutes
Router1#
For our example, we acclimated bounded authentication, which is acceptable for a baby aggregation or installation; however, for beyond organizations you can additionally configure the affidavit server to use either RADIUS or TACACS to accredit users.
To configure an affidavit proxy server with TACACS support, use the afterward set of commands:
Router1#configure terminal
Enter agreement commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa allotment auth-proxy absence accumulation tacacs
Router1(config)#tacacs-server host 172.25.5.5
Router1(config)#tacacs-server key cisco
Router1(config)#ip http server
Router1(config)#ip http affidavit aaa
Router1(config)#ip auth-proxy name TESTPROXY http
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip auth-proxy TESTPROXY
Router1(config-if)#end
Router1#
In this example, affidavit will be performed by the TACACS server. Please see Chapter 4 for added advice on TACACS.
See Also