This section discusses how to configure the authentication proxy settings on
a Cisco router.
Set Global Timers
The inactivity timeout value is the length of
time that an authentication cache entry, along with its associated dynamic user
ACL, is managed after a period of inactivity. To set the global authentication
proxy inactivity timeout value, use the ip auth-proxy
inactivity-timer global configuration command
. The value of
the inactivity-timer min option must be set to a
higher value than the idle timeout of any CBAC protocols. Otherwise, when the
authentication proxy removes the user profile along with the associated dynamic
user ACLs, there might be some idle connections monitored by CBAC. Removing
these user-specific ACLs could cause those idle connections to hang. If the
CBAC idle timeout value is shorter, CBAC resets these connections when the CBAC
idle timeout expires, which is before the authentication proxy removes the user
profile.
The absolute-timer min option allows
administrators to configure a window during which the authentication proxy on
the enabled interface is active. Once the absolute timer expires, the
authentication proxy will be disabled regardless of any activity. The global
absolute timeout value can be overridden by the local value, which is enabled
via the ip auth-proxy name command. The absolute timer is
turned off by default, and the authentication proxy is enabled
indefinitely.
The syntax of the ip auth-proxy command
is shown in Figure
.
Define and Apply Authentication Proxy Rules
To create an
authentication proxy rule, use the ip auth-proxy name
global configuration command
. The syntax of
the ip auth-proxy name command is shown in Figure
.
To apply an authentication proxy rule at a firewall interface, use the
ip auth-proxy interface configuration command. The syntax
of the ip auth-proxy command is shown in Figure
.
 |
NOTE:
A proxy authentication rule can consist of multiple statements, each
specifying a different authentication type. This configuration supports proxy
authentication for multiple applications, using a combination of HTTP, HTTPS,
FTP, or Telnet authentication at the same time.
|
Authentication Proxy Rules with ACLs
An authentication
proxy rule can be associated with an ACL, providing control over which hosts
use the authentication proxy. To create an authentication proxy rule with ACLs,
use the ip auth-proxy name global configuration command
with the list acl option
. The syntax of
the ip auth-proxy name with ACLs command is shown in Figure
.