Authentication Proxy Configuration
The authentication
proxy is applied in the inward direction at any interface on the router where
per-user authentication and authorization
occurs. Applying
the authentication proxy inward at an interface causes it to intercept a user’s
initial connection request before that request is subjected to any other
processing by the firewall. If the user fails to authenticate with the AAA
server, the connection request is dropped.
How the authentication proxy
is applied depends on the security policy. For example, All traffic through an
interface can be blocked, and then the authentication proxy feature can be
enabled to require authentication and authorization for all user-initiated
HTTP, HTTPS, FTP, or Telnet connections. Users are authorized for services only
after successful authentication with the AAA server. The authentication proxy
feature also enables administrators to use standard ACLs to specify a host or
group of hosts whose initial HTTP, HTTPS, FTP, or Telnet traffic triggers the
proxy.
Cisco Secure ACS auth-proxy Service
The Cisco Secure
ACS for Windows Server AAA server can be configured to support authentication
proxy by configuring the AAA authorization auth-proxy service
. This
creates a new section in the Group Setup frame in which user profiles can be
created. This does not interfere with other types of services that the AAA
server may have.