All traffic requiring authentication and authorization should be
denied by the router using extended ACLs
. Upon successful
authentication, dynamic ACEs will be inserted into the ACLs to permit only the
traffic authorized by the user profile. The authentication proxy customizes
each of the ACEs in the user profile by replacing the source IP addresses in
the downloaded ACL with the source IP address of the authenticated host.
An extended ACL should be applied to the inbound direction of the interface
that is configured for proxy authentication. All other ACLs that restrict
traffic in the direction of authenticated traffic flow should be extended ACLs
so that proxy authentication can dynamically update the ACEs as necessary to
permit authorized traffic to pass.
NOTE:
Proxy authentication does not update ACLs blocking return traffic. If
traffic in the opposite direction must be restricted, then use static ACLs to
manually permit return traffic for authorized traffic. Preferably, use CBAC to
dynamically create ACLs to securely permit return traffic for
proxy-authenticated sessions.
If the AAA server resides on the same interface where proxy
authentication is configured, then an ACL to permit TACACS+ or RADIUS traffic
from the AAA server to the firewall must be configured.
Use the following
guidelines when writing the extended ACL:
To permit AAA server communication, create an ACE where the source address
is the AAA server and destination address is the interface where the AAA server
resides.
Some traffic may need to be permitted without requiring authentication,
such as Internet Control Message Protocol (ICMP) or routing updates.
Deny all other traffic.
Apply the extended ACL to the inbound direction of the interface where
proxy authentication is configured.
Enable the Router HTTP or HTTPS Server for AAA To use the
authentication proxy with HTTP, use the ip http server
command to enable the HTTP server on the router. Then use the ip http
authentication aaa command to require the HTTP server to use AAA for
authentication
.
The HTTPS feature requires a Cisco IOS crypto image. Enabling this feature
supports these options:
HTTP-initiated sessions normally exchange the username and password in
clear text. This exchange is encrypted when using HTTPS.
HTTPS-initiated sessions are proxy authenticated.
To use the authentication proxy with HTTPS, use the ip http
secure-server command to enable the HTTP server on the router. Then
use the ip http authentication aaa command to require the
HTTP server to use AAA for authentication.
In this lab, students will first
configure CSACS for Windows 2000. Students will also configure authentication,
authorization, and accounting (AAA). Students will then configure an
authentication proxy. Finally, students will test and verify the functionality
of the authentication proxy.