Authentication Proxy: Basic Instrumentation for user-based access control on Cisco IOS software

In a previous article, “Cisco Firewalls and user-based access control“, we revisited the concepts of Authentication, Authorization and Accounting (AAA), and mentioned that both the Cisco ASA and Cisco IOS firewall families can be configured to create connections taking into account some kind of user information.

The current post builds upon that discussion and presents the Authentication Proxy (Auth-proxy) feature, which constitutes the basic instrumentation for user-based features on Cisco IOS routers.

In our particular example, Auth-proxy is triggered by telnet (because it is “a very easy to understand and document” protocol). It is interesting to know, though, that Auth-proxy is also supported over FTP, HTTP and HTTPS.

It is relevant to emphashize that Auth-proxy is actually borrowing the authentication capability embedded in one of these application protocols to obtain user credentials and hand them to the RADIUS process. By intercepting a protocol that natively includes authentication, the router can now talk to the RADIUS server and receive (for valid users) an Authorization Profile that reflects the user privileges. The process is summarized in figure 1.

Figure 1: Summary of IOS Authentication Proxy (Auth-Proxy) operation

Figure 2 documents the basic settings to enable Auth-Proxy (these will be deemed “well-known” on upcoming articles). The basic blocks are:

  • Handling of RADIUS Vendor Specific Attributes (VSAs) by the router
  • AAA Server and related AAA services (Authentication, Authorization and Accounting)
  • The Static ACL to be applied to the interface
  • The triggering protocol for Auth-Proxy (telnet in our case)
  • Enabling Auth-Proxy at a given interface (always for incoming packets)

Figure 2: Basic Configuration Steps to enable Auth-Proxy

 ** Notes

  • When used as a standalone feature, Auth-Proxy is stateless in nature.
  • Auth-Proxy can be rendered stateful when combined with Context Based Access Control (CBAC) or the Cisco Zone-based Policy Firewall (ZFW). In this last case, we will have the so called user-based Zone Firewall.

** Topics for Study:

  • Play with the other triggering protocols (HTTP, HTTPS, FTP). The user experience for HTTP/HTTPS is very similar to that of Wi-fi hot spots: after getting the user credentials (frequently through a web browser prompt), and correctly authenticating the user, access is granted.
  • Why should HTTPS be a particularly interesting option ?
  • Stay tuned: other articles will cover mode details about Authorization Profiles.

** Related Posts:

Leave a comment

Filed under English, Identity, Security

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s