Allow AAA traffic to the router

All traffic requiring authentication and authorization should be denied by the router using extended ACLs . Upon successful authentication, dynamic ACEs will be inserted into the ACLs to permit only the traffic authorized by the user profile. The authentication proxy customizes each of the ACEs in the user profile by replacing the source IP addresses in the downloaded ACL with the source IP address of the authenticated host.

An extended ACL should be applied to the inbound direction of the interface that is configured for proxy authentication. All other ACLs that restrict traffic in the direction of authenticated traffic flow should be extended ACLs so that proxy authentication can dynamically update the ACEs as necessary to permit authorized traffic to pass.

NOTE:

Proxy authentication does not update ACLs blocking return traffic. If traffic in the opposite direction must be restricted, then use static ACLs to manually permit return traffic for authorized traffic. Preferably, use CBAC to dynamically create ACLs to securely permit return traffic for proxy-authenticated sessions.

If the AAA server resides on the same interface where proxy authentication is configured, then an ACL to permit TACACS+ or RADIUS traffic from the AAA server to the firewall must be configured.

Use the following guidelines when writing the extended ACL:

  • To permit AAA server communication, create an ACE where the source address is the AAA server and destination address is the interface where the AAA server resides.
  • Some traffic may need to be permitted without requiring authentication, such as Internet Control Message Protocol (ICMP) or routing updates.
  • Deny all other traffic.
  • Apply the extended ACL to the inbound direction of the interface where proxy authentication is configured.

Enable the Router HTTP or HTTPS Server for AAA
To use the authentication proxy with HTTP, use the ip http server command to enable the HTTP server on the router. Then use the ip http authentication aaa command to require the HTTP server to use AAA for authentication .

The HTTPS feature requires a Cisco IOS crypto image. Enabling this feature supports these options:

  • HTTP-initiated sessions normally exchange the username and password in clear text. This exchange is encrypted when using HTTPS.
  • HTTPS-initiated sessions are proxy authenticated.

To use the authentication proxy with HTTPS, use the ip http secure-server command to enable the HTTP server on the router. Then use the ip http authentication aaa command to require the HTTP server to use AAA for authentication.

Lab Activity

Lab Exercise: Configure Authentication Proxy

In this lab, students will first configure CSACS for Windows 2000. Students will also configure authentication, authorization, and accounting (AAA). Students will then configure an authentication proxy. Finally, students will test and verify the functionality of the authentication proxy.

Firewall Support of HTTPS Authentication Proxy