The Cisco IOS Firewall authentication proxy feature enables network
administrators to apply specific security policies on a per-user basis
. Users can be
identified and authorized on the basis of their per-user policy, and access
privileges can be tailored on an individual basis, as opposed to a general
policy applied across multiple users.
With the authentication proxy
feature, users can log in to the network or access the Internet via HTTP,
HTTPS, FTP, or Telnet, and their specific access profiles are automatically
retrieved and applied from a Cisco Secure Access Control Server (ACS) or other
authentication server. The user profiles are active only when there is active
traffic from the authenticated users.
The authentication proxy is
compatible with other Cisco IOS security features such as NAT, Context-Based
Access Control (CBAC), IPSec encryption, and the Cisco VPN Client.
Authentication Proxy Operation
When a user initiates an HTTP,
HTTPS, FTP, or Telnet session through the firewall, it triggers the
authentication proxy
. The
authentication proxy first checks to see if the user has been authenticated. If
a valid authentication entry exists for the user, the session is allowed and no
further intervention is required by the authentication proxy. If no entry
exists, the authentication proxy responds to the connection request by
prompting the user for a username and password.
Users must successfully
authenticate with the authentication server by entering a valid username and
password. If the authentication succeeds, the user’s authorization profile is
retrieved from the authentication, authorization, and accounting (AAA) server.
The authentication proxy uses the information in this profile to create dynamic
access control entries (ACEs) and add them to the inbound ACL of an input
interface, and to the outbound ACL of an output interface if an output ACL
exists at the interface. By doing this, the firewall allows authenticated users
access to the network as permitted by the authorization profile.
If the
authentication fails, the authentication proxy reports the failure to the user
and prompts the user for a configurable number of retries.
The
authentication proxy sets up an inactivity, or idle, timer for each user
profile. As long as there is activity through the firewall, new traffic
initiated from the user’s host does not trigger the authentication proxy, and
all authorized user traffic is permitted access through the firewall.
If
the idle timer expires, the authentication proxy removes the user’s profile
information and dynamic ACL entries. When this happens, traffic from the client
host is blocked. The user must initiate another HTTP, HTTPS, FTP, or Telnet
connection to trigger the authentication proxy.
Supported AAA
Servers
The Cisco IOS Firewall authentication proxy supports the
following AAA protocols and servers
:
- TACACS+
- Cisco Secure ACS for Windows 2000 Server
- Cisco Secure ACS for UNIX
- TACACS+ Freeware
- RADIUS
- Cisco Secure ACS for Windows 2000 Server
- Cisco Secure ACS for UNIX
- Lucent
- Other standard RADIUS servers