Scribd Logo
Upload

Welcome to Scribd!

  • CCIE Security Advanced Technologies Class

    Uploaded by

    Edison Acosta
    14 views7 pages

    Original Title

    IEATC-SCv3.day.06.part.02.Advanced.AAA.1.01

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    14 views7 pages

    CCIE Security Advanced Technologies Class

    Uploaded by

    Edison Acosta

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 7

    CCIE Security

    Advanced Technologies Class

    Advanced AAA

    http://www.InternetworkExpert.com

    IOS Authentication Proxy

    • Dynamic Access-Lists (Lock-and-Key)


    allows user to authenticate to IOS in order
    to poke hole in firewall
    • Not scalable since Dynamic ACL is for all
    users and you can’t control access per
    user
    – “access-enable” opens all Dynamic ACLs
    • Authentication proxy offers scalable
    alternative for per-user ACL access via
    TACACS+ / RADIUS
    Copyright © 2007 Internetwork Expert, Inc
    www.InternetworkExpert.com

    1
    IOS Authentication Proxy (cont.)

    • User denied network access via static ACL


    • User sends HTTP traffic through IOS
    interface running auth-proxy and is
    presented with login prompt
    • Once user is authenticated AAA is
    checked for auth-proxy authorization
    • If user is allowed auth-proxy access a per-
    user ACL is downloaded from AAA
    • User now allowed access to resources
    Copyright © 2007 Internetwork Expert, Inc
    www.InternetworkExpert.com

    Configuring IOS Auth-Proxy

    • Configure communication with AAA


    – aaa new-model…
    – radius-server host | tacacs-server host
    • Define AAA authentication
    – aaa authentication login default group…
    – Don’t lock yourself out!
    • Define AAA authorization
    – aaa authorization auth-proxy default
    group…

    Copyright © 2007 Internetwork Expert, Inc


    www.InternetworkExpert.com

    2
    Configuring IOS Auth-Proxy (cont.)

    • Enable HTTP server and authentication


    – ip http server
    – ip http server authentication aaa
    • Deny inbound traffic except for HTTP for
    authentication
    • Define auth-proxy ACL to trigger
    authentication
    – ip access-list extended PROXYACL
    • permit tcp any any eq www

    Copyright © 2007 Internetwork Expert, Inc


    www.InternetworkExpert.com

    Configuring IOS Auth-Proxy (cont.)

    • Configure auth-proxy instance and call


    trigger ACL
    – ip auth-proxy name AUTHPROXY http list
    PROXYACL
    • Apply static access-list
    • Apply auth-proxy to interface
    – ip auth-proxy AUTHPROXY

    Copyright © 2007 Internetwork Expert, Inc


    www.InternetworkExpert.com

    3
    Configuring IOS Auth-Proxy (cont.)

    • Configure AAA to support auth-proxy


    • For TACACS+
    – Define new service “auth-proxy” under
    interface configuration
    – Create user, enable auth-proxy, and configure
    custom-attributes
    • auth-proxy:priv-lvl=15
    • proxyacl#1=permit icmp any any
    • proxyacl#2=permit tcp any any
    • proxyacl#3=permit udp any any

    Copyright © 2007 Internetwork Expert, Inc


    www.InternetworkExpert.com

    Configuring IOS Auth-Proxy (cont.)

    • Configure AAA to support auth-proxy


    • For RADIUS
    – Create user and define auth-proxy under
    [009\001] cisco-av-pair
    • auth-proxy:priv-lvl=15
    • auth-proxy:proxyacl#1=permit icmp any any
    • auth-proxy:proxyacl#2=permit tcp any any
    • auth-proxy:proxyacl#3=permit udp any any

    Copyright © 2007 Internetwork Expert, Inc


    www.InternetworkExpert.com

    4
    Auth-Proxy Verification

    • show access-list should show per-user


    ACL entry
    • clear ip auth-proxy cache * deletes per-
    user ACL entries

    Copyright © 2007 Internetwork Expert, Inc


    www.InternetworkExpert.com

    Auth-Proxy Example

    • PC must authenticate to R1 through


    TACACS before accessing R4

    Copyright © 2007 Internetwork Expert, Inc


    www.InternetworkExpert.com

    5
    PIX / ASA Network Access AAA

    • “Cut-Through Proxy” feature on PIX/ASA


    similar to authentication proxy on IOS
    • As traffic leaves the network it is checked
    against a AAA authentication access-list
    • If match occurs user is required to
    authenticate prior to access being granted
    • Authentication through
    – HTTP / HTTPS
    – FTP
    – Telnet
    Copyright © 2007 Internetwork Expert, Inc
    www.InternetworkExpert.com

    Cut-Through Proxy Configuration

    • Define AAA server


    – aaa-server SERVER protocol…
    • RADIUS allows per user ACLs through CISCO AV
    pair 009\001
    – aaa-server SERVER (outside) host 1.2.3.4
    • key…
    • Define traffic to trigger cut-through proxy
    – access-list CUT_THROUGH extended
    permit tcp any any eq 80

    Copyright © 2007 Internetwork Expert, Inc


    www.InternetworkExpert.com

    6
    Cut-Through Proxy Configuration (cont.)

    • Bind trigger ACL to AAA process


    – aaa authentication match CUT_THROUGH
    inside SERVER
    • Configure AAA server with user / pass
    • Configure AAA server with RADIUS ACL
    – Cisco IOS/PIX 6.x RADIUS Attributes
    – [009\001] cisco-av-pair
    – ip:inacl#1=permit ip any any

    Copyright © 2007 Internetwork Expert, Inc


    www.InternetworkExpert.com

    Cut-Through Proxy Example


    • PC must authenticate to PIX through RADIUS before
    pinging R2 and web browsing to R4

    Copyright © 2007 Internetwork Expert, Inc


    www.InternetworkExpert.com

    You might also like