Cisco IOS Firewall Authentication Proxy
Authentication proxy configuration

This section discusses how to configure the authentication proxy settings on a Cisco router.

Set Global Timers
The inactivity timeout value is the length of time that an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity. To set the global authentication proxy inactivity timeout value, use the ip auth-proxy inactivity-timer global configuration command . The value of the inactivity-timer min option must be set to a higher value than the idle timeout of any CBAC protocols. Otherwise, when the authentication proxy removes the user profile along with the associated dynamic user ACLs, there might be some idle connections monitored by CBAC. Removing these user-specific ACLs could cause those idle connections to hang. If the CBAC idle timeout value is shorter, CBAC resets these connections when the CBAC idle timeout expires, which is before the authentication proxy removes the user profile.

The absolute-timer min option allows administrators to configure a window during which the authentication proxy on the enabled interface is active. Once the absolute timer expires, the authentication proxy will be disabled regardless of any activity. The global absolute timeout value can be overridden by the local value, which is enabled via the ip auth-proxy name command. The absolute timer is turned off by default, and the authentication proxy is enabled indefinitely.

The syntax of the ip auth-proxy command is shown in Figure .

Define and Apply Authentication Proxy Rules
To create an authentication proxy rule, use the ip auth-proxy name global configuration command . The syntax of the ip auth-proxy name command is shown in Figure .

To apply an authentication proxy rule at a firewall interface, use the ip auth-proxy interface configuration command. The syntax of the ip auth-proxy command is shown in Figure .

NOTE:

A proxy authentication rule can consist of multiple statements, each specifying a different authentication type. This configuration supports proxy authentication for multiple applications, using a combination of HTTP, HTTPS, FTP, or Telnet authentication at the same time.

Authentication Proxy Rules with ACLs
An authentication proxy rule can be associated with an ACL, providing control over which hosts use the authentication proxy. To create an authentication proxy rule with ACLs, use the ip auth-proxy name global configuration command with the list acl option . The syntax of the ip auth-proxy name with ACLs command is shown in Figure .


Lab Activity

e-Lab Activity: Configure AAA

In this activity, students will configure AAA on the Cisco router.

Lab Activity

e-Lab Activity: Configure Authentication

In this activity, students will configure authentication proxy on a Cisco router.

Lab Activity

e-Lab Activity: Configure Authentication Proxy on Cisco Router

In this activity, students will configure AAA, configure authentication proxy, test and verify authentication proxy.