Cisco IOS Firewall Authentication Proxy
Cisco IOS Firewall authentication proxy

The Cisco IOS Firewall authentication proxy feature enables network administrators to apply specific security policies on a per-user basis . Users can be identified and authorized on the basis of their per-user policy, and access privileges can be tailored on an individual basis, as opposed to a general policy applied across multiple users.

With the authentication proxy feature, users can log in to the network or access the Internet via HTTP, HTTPS, FTP, or Telnet, and their specific access profiles are automatically retrieved and applied from a Cisco Secure Access Control Server (ACS) or other authentication server. The user profiles are active only when there is active traffic from the authenticated users.

The authentication proxy is compatible with other Cisco IOS security features such as NAT, Context-Based Access Control (CBAC), IPSec encryption, and the Cisco VPN Client.

Authentication Proxy Operation
When a user initiates an HTTP, HTTPS, FTP, or Telnet session through the firewall, it triggers the authentication proxy . The authentication proxy first checks to see if the user has been authenticated. If a valid authentication entry exists for the user, the session is allowed and no further intervention is required by the authentication proxy. If no entry exists, the authentication proxy responds to the connection request by prompting the user for a username and password.

Users must successfully authenticate with the authentication server by entering a valid username and password. If the authentication succeeds, the user’s authorization profile is retrieved from the authentication, authorization, and accounting (AAA) server. The authentication proxy uses the information in this profile to create dynamic access control entries (ACEs) and add them to the inbound ACL of an input interface, and to the outbound ACL of an output interface if an output ACL exists at the interface. By doing this, the firewall allows authenticated users access to the network as permitted by the authorization profile.

If the authentication fails, the authentication proxy reports the failure to the user and prompts the user for a configurable number of retries.

The authentication proxy sets up an inactivity, or idle, timer for each user profile. As long as there is activity through the firewall, new traffic initiated from the user’s host does not trigger the authentication proxy, and all authorized user traffic is permitted access through the firewall.

If the idle timer expires, the authentication proxy removes the user’s profile information and dynamic ACL entries. When this happens, traffic from the client host is blocked. The user must initiate another HTTP, HTTPS, FTP, or Telnet connection to trigger the authentication proxy.

Supported AAA Servers
The Cisco IOS Firewall authentication proxy supports the following AAA protocols and servers :

  • TACACS+
    • Cisco Secure ACS for Windows 2000 Server
    • Cisco Secure ACS for UNIX
    • TACACS+ Freeware
  • RADIUS
    • Cisco Secure ACS for Windows 2000 Server
    • Cisco Secure ACS for UNIX
    • Lucent
    • Other standard RADIUS servers