Scribd Logo
Upload

Welcome to Scribd!

  • SECS05L04 - Configuring Cisco IOS Firewall Authentication Proxy

    Uploaded by

    Khoa Huynh Dang
    5 views25 pages

    Original Title

    SECS05L04_Configuring Cisco IOS Firewall Authentication Proxy

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    5 views25 pages

    SECS05L04 - Configuring Cisco IOS Firewall Authentication Proxy

    Uploaded by

    Khoa Huynh Dang

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 25

    Adaptive Threat

    Defense

    Configuring Cisco IOS Firewall Authentication Proxy

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-1


    What Is the Authentication Proxy?

     HTTP, HTTPS, FTP, and Telnet authentication


     Provides dynamic, per-user authentication and authorization via
    TACACS+ and RADIUS protocols
     Once authenticated, all types of application traffic can be
    authorized
     Works on any interface type for inbound or outbound traffic

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-2


    Using Cisco IOS Firewall Authentication
    Proxy

    AAA
    Server

    Web
    Server
    Client Internet
    Host
    FTP
    Server

    Telnet
    Server
    Client
    Host

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-3


    Login screen

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-4


    Supported AAA Servers

    TACACS+ RADIUS

    Cisco Secure Cisco Secure


    Cisco Secure Cisco Secure
    ACS for Windows ACS for Windows
    ACS UNIX ACS UNIX
    NT/2000 NT/2000

    TACACS+
    Lucent
    Freeware

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-5


    Cisco IOS Firewall Applying
    Authentication Proxy
    For inbound proxy For outbound proxy
    authentication, add an authentication, add an Web, FTP,
    ACL to ACL to block inward or Telnet
    traffic from the inside,
    block inward traffic from Server
    the outside. except from the AAA
    server.

    Outside Inside User


    User

    AAA
    For inbound proxy For outbound proxy Server
    authentication, enable the authentication, enable
    Cisco IOS Firewall the Cisco IOS Firewall
    authentication proxy to authentication proxy to
    intercept inward HTTP, intercept inward HTTP,
    HTTPS, FTP, or Telnet HTTPS, FTP, or Telnet
    traffic from the outside. traffic from the inside.

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-6


    Create auth-proxy Service in the Cisco
    Secure ACS

    Enter the new


    service:
    auth-proxy.

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-7


    Create a User Authorization Profile in the
    Cisco Secure ACS

    Check the
    auth-proxy.
    Check the
    Custom attributes
    checkbox.

    Enter ACLs to apply


    after the user
    proxyacl#1=permit tcp any any
    priv-lvl=15
    authenticates.

    Enter the privilege


    level of the user; it
    must be 15 for all
    users.

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-8


    User Authorization Profiles

    proxyacl#1=permit tcp any any eq 443 HTTPS


    proxyacl#2=permit icmp any host 172.30.0.50
    proxyacl#3=permit tcp any any eq ftp
    proxyacl#4=permit tcp any any eq smtp
    proxyacl#5=permit tcp any any eq telnet
    priv-lvl=15

    • Defines the allowable protocols,


    services, and destination addresses.
    • The source address is always any and is
    replaced in the router with the IP
    address of host making the request.
    • Privilege level must be set to 15 for all
    users.
    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-9
    Authentication Proxy Configuration

     Configure AAA
     Configure the HTTP server
     Create the authentication proxy rule
     Apply the Cisco IOS Firewall authentication proxy rule to an
    interface
     Verify the Cisco IOS Firewall authentication proxy

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-10


    Enable AAA

    router(config)# aaa new-model


    router(config)# aaa authentication login default group tacacs+
    router(config)# aaa authorization auth-proxy default group tacacs+

     Enables AAA functionality on the router

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-11


    Define a TACACS+ Server and Its Key

    router(config)# tacacs-server host 10.0.0.3


    router(config)# tacacs-server key secretkey

     Specifies the TACACS+ server IP address


     Specifies the TACACS+ server key

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-12


    Define a RADIUS Server and Its Key

    router(config)# radius-server host 10.0.0.3


    router(config)# radius-server key secretkey

     Specifies the RADIUS server IP address


     Specifies the RADIUS server key

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-13


    Allow AAA Traffic to the Router AAA Server

    router(config)# access-list 111 permit tcp host 10.0.1.12 eq tacacs


    host 10.0.1.2 Router interface
    router(config)# access-list 111 permit icmp any any
    router(config)# access-list 111 deny ip any any
    router(config)# interface fastEthernet0/0
    router(config-if)# ip access-group 111 in

     Create an ACL to permit TACACS+ traffic from the AAA server to


    the firewall
    – Source address = AAA server
    – Destination address = interface where the AAA server resides
     May want to permit ICMP
     Deny all other traffic
     Apply the ACL to the interface on the side where the AAA server
    resides

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-14


    Enable the Router HTTP or HTTPS
    Server for AAA

    router(config)# ip http server


    router(config)# ip http secure-server
    router(config)# ip http authentication aaa

     Enables the HTTP server on the router


    – Proxy uses HTTP server for communication with a
    client
     Enables the HTTPS server on the router
     Sets the HTTP server authentication method to AAA

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-15


    Set Global Timers
    router(config)# ip auth-proxy inactivity-timer 120
    router(config)# ip auth-proxy name APRULE http
    router(config)# interface fastEthernet0/0
    router(config-if)# ip auth-proxy aprule

     Authentication inactivity timer in minutes (default = 60


    minutes)
     Creates an authorization proxy rule
     Applies an authorization proxy rule to an interface
    – For outbound authentication, apply to inside interface
    – For inbound authentication, apply to outside interface

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-16


    Authentication Proxy Rules with ACLs

    router(config)# access-list 10 permit 10.0.0.0 0.0.0.255


    router(config)# ip auth-proxy name aprule http list 10
    router(config)# interface fastEthernet0/0
    router(config-if)# ip auth-proxy APRULE

     Creates an authorization proxy rule with an ACL

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-17


    Example

    Apply auth-prox, Apply ACL 102 to


    ACL 105, and IOS block all inbound
    Classic Firewall traffic except from
    the AAA server

    WWW
    S0 Internet 10.0.6.10
    E0 S0 E0
    Host A
    10.0.1.12
    R1 R2
    (Firewall)
    AAA
    10.0.6.12

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-18


    Router 2 Configuration
    Configure AAA for the
    authentication proxy

    R2(config)# aaa new-model


    R2(config)# aaa authentication login default group tacacs
    R2(config)# aaa authorization auth-proxy default group
    tacacs+
    R2(config)# aaa accounting auth-proxy default start-stop
    group tacacs+
    R2(config)# tacacs-server host 10.0.6.12
    R2(config)# tacacs-server key cisco
    Create the classic
    R2(config)# radius-server host 172.31.54.143 firewall inspection rule
    R2(config)# radius-server key cisco SNRS
    R2(config)# ip inspect name SNRS http
    R2(config)# ip inspect name SNRS tcp
    R2(config)# ip inspect name SNRS ftp
    R2(config)# ip inspect name SNRS smtp
    R2(config)# ip auth-proxy auth-cache-time 60
    R2(config)# ip auth-proxy name SNRS-Proxy http
    R2(config)# ip http server
    R2(config)# ip http authentication aaa
    Name auth-prox rule
    and Set the global
    authentication proxy
    timeout value
    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-19
    Router 2 Configuration (Cont.)

    R2(config)# access-list 102 permit tcp host 10.0.6.12 eq tacacs


    host 10.0.6.2
    R2(config)# access-list 102 deny tcp any any Create ACL 102 to
    R2(config)# access-list 102 deny udp any any block all traffic
    R2(config)# access-list 102 permit ip any any inbound on interface
    R2(config)# access-list 105 deny tcp any any E0 except for traffic
    R2(config)# access-list 105 deny udp any any from the AAA server.
    R2(config)# access-list 105 permit ip any any
    R2(config)# interface Serial0 Create ACL 105 to
    R2(config-if)# ip address 172.30.6.2 255.255.255.0 block all traffic inbound
    R2(config-if)# ip access-group 105 in on interface Serial0.
    R2(config-if)# ip inspect SNRS in Permit only IP protocol
    R2(config-if)# ip auth-proxy SNRS-Proxy traffic
    R2(config)# interface Ethernet0
    R2(config-if)# ip address 10.0.6.2 255.255.255.0
    R2(config-if)# ip access-group 102 in

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-20


    Verifying Authentication Proxy

    router# show ip auth-proxy cache


    router# show ip auth-proxy configuration
    router# show ip auth-proxy watch list

     Displays statistics, configurations, and cache


    entries of authentication proxy subsystems

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-21


    debug Commands

    router(config)#

    debug ip auth-proxy ftp


    debug ip auth-proxy function-trace
    debug ip auth-proxy http
    debug ip auth-proxy object-creation
    debug ip auth-proxy object-deletion
    debug ip auth-proxy tcp
    debug ip auth-proxy telnet
    debug ip auth-proxy timer

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-22


    Clear the Cisco IOS Firewall
    Authentication Proxy Cache
    router#
    clear ip auth-proxy cache {* | ip_addr}

     Clears authentication proxy entries from the router

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-23


    Summary
    • The Cisco IOS Firewall authentication proxy feature enables
    network administrators to apply specific security policies on
    a per-user basis for TACACS+ and RADIUS servers.
    • To support the authentication proxy, configure the AAA
    authorization auth-proxy service on the Cisco Secure
    ACS for Windows.
    • To configure authentication proxy, you must:
    – Configure AAA support
    – Create an authentication proxy rule
    – Apply the rule to an interface

    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-24


    © 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—5-25

    You might also like