One of the tasks that should be done very quickly on the CCIE:Security exam is the IOS Auth Proxy. The IOS Auth Proxy checks an incoming connection, authenticates against the ACS (or some authentication mechanism. In our example, we use the ACS.), and then changes the ACL that is currenly denying traffic into the Auth Proxy router and allows it to pass through.
In the following example, I demonstrate how to quickly get the Auth Proxy setup with an IOS router that authenticates against an ACS server. This is the most basic of examples, and it should be able to be accomplished within 15 minutes. TACACS+ is used, but RADIUS can be used as well on the ACS.
The basic steps to setting up an Auth Proxy:
- Turn on AAA on the router.
- Create AAA authentication and authorization mechanisms.
- Turn on the HTTP server.
- Authenticate against the HTTP server using AAA.
- Configure the Auth Proxy settings.
- Configure the ACL to only permit necessary traffic.
- Configure the ACS for Auth Proxy.
The following diagram will be used for the setup:
In this example, the XP machine is going to HTTP into R1. However, R2 is going to intercept the request and make sure that the Windows XP user has the proper credentials to get into the network. The ACS server is a Windows 2008 server running Cisco Secure ACS 4.2.1. R2 is going to authenticate against this server before modifying the ACL that will permit authenticated traffic across.
First, we setup AAA on R2. AAA needs to be turned on, authentication needs to be allowed for the default login to be with TACACS+, and authorization needs to be turned on for auth-proxy. As a precaution, the login for the console will need to be turned off. It is always a good idea in the lab to do this; otherwise, you could get locked out of the console, which provides a less than optimal situation.
aaa new-model ! aaa authentication login default group tacacs+ aaa authentication login CONSOLE none aaa authorization auth-proxy default group tacacs+ ! <snipped text> line con 0 exec-timeout 0 0 logging synchronous login authentication CONSOLE line aux 0 login authentication CONSOLE
Now we must turn on the HTTP server on R2 and authenticate using AAA:
ip http server ip http authentication aaa
The TACACS+ server needs to be setup. We are going to use fa0/1 as the source interface for TACACS+. This is important, as this will be the IP address that is used in the server itself.
ip tacacs source-interface FastEthernet0/1 tacacs-server host 10.10.10.100 key cisco
Now the actual IP Auth Proxy will need to be setup. The IP Auth Proxy will have a name of AUTH_PROXY and the banner will say “Please Enter Your Username and Password:”. Everything else will be left as default.
ip auth-proxy auth-proxy-banner http ^C Please Enter Your Username and Password ^C ip auth-proxy name AUTH_PROXY http
Note that telnet and FTP can be used instead of HTTP. However, using the HTTP keyword will require the use of HTTP for authentication.
The IP access list will also need to be created. We are going to deny everything through the router; however, in order to access the auth-proxy HTTP server, an ACL entry allowing that traffic will need to be added. Also, EIGRP is being used in our example, so EIGRP traffic will also need to be allowed.
ip access-list extended DENY permit tcp any host 45.45.20.2 eq www permit eigrp any any deny ip any any deny icmp any any
Finally, the IP Auth Proxy and the access list are applied to the fa0/1 interface:
interface FastEthernet0/1 ip address 10.10.20.2 255.255.255.0 ip access-group DENY in ip auth-proxy AUTH_PROXY
The router configuration is now complete. Now the ACS server will need to be configured. The ACS will be configured with a username of cisco and a password of cisco. One the user cisco is authenticated, the ACLs in the ACS will be applied, and all IP and ICMP traffic will be allowed through the authenticated host.
First, a user named cisco with a password of cisco should be added to the ACS:
Next, under Network Configuration, we add the R2 client and authenticate using TACACS+. We put the secret key of cisco here.
After submitting and applying the changes, go into the Interface Configuration and add the auth-proxy setting into the TACACS+ configuration. This is not a configuration that is enabled by default in the group settings.
The usual submit/apply routine is then done. Finally, the settings for the proxy ACLs are added to the configuration. Note that the shell privilege level of 15 is added; otherwise, it would not be possible to add the ACLs into the interface settings of the router.
Submit, apply, done. Yep, that is it.
First, the router should be tested against the ACS to make sure that the communication between the two is working properly. This can be accomplished with the test aaa command:
R2#test aaa group tacacs+ cisco cisco legacy Attempting authentication test to server-group tacacs+ using tacacs+ User was successfully authenticated.
Neato! R2 is successfully authenticating the user cisco with the password of cisco against the AAA server. If the auth-proxy is working, then an HTTP connection to R1 should invoke the auth proxy on R2.
The username of cisco and password of cisco is used. The result?
And now the R1 login is presented:
A quick look at the R2 auth proxy cache:
R2#sh ip auth-proxy cache Authentication Proxy Cache Client Name cisco, Client IP 10.10.20.100, Port 1105, timeout 60, Time Remaining 60, state ESTAB
The auth-proxy was successful, and the client name cisco from the IP address of 10.10.20.100 is now authenticated. The ACLs have also changed:
R2#sh ip access-list Extended IP access list DENY permit ip host 10.10.20.100 any (14 matches) permit icmp host 10.10.20.100 any 10 permit tcp any host 45.45.20.2 eq www 20 permit eigrp any any 30 deny ip any any (1698 matches) 40 deny icmp any any
There are now unnumbered entries in the ACL. These entries match the proxyacl entries in the auth-proxy section of the ACS server. Now that cisco has been authenticated from 10.10.20.100, that host is allowed through using either IP or ICMP.
The auth-proxy default timeout is 60 minutes. The number can be lowered by using the inactivity-time command after assigning a name to the auth-proxy:
ip auth-proxy name AUTH_PROXY http inactivity-time 60
To remove an authenticated user from the auth-proxy list, use the clear command, along with the IP address of the user that needs to be inactivated. To clear all of the users, use the * instead of the IP address:
R2#clear ip auth-proxy cache 10.10.20.100
This command will remove our current user, and now cisco will need to re-authenticate through the auth-proxy.
With a little bit of practice, this entire setup should be accomplished in about 15 minutes. Do not forget that if the auth proxy needs to go through a firewall, then the firewall will need to allow the TACACS+ protocol (TCP 49), the HTTP protocol (TCP 80), and any other protocols that are in the proxy ACL list in the ACS.
Good luck!
