Cisco IOS Authentication Proxy and RADIUS Authorization Profiles

The previous article presented the basic theory behind the Authentication Proxy (Auth-proxy) functionality on Cisco IOS Software. The current post goes one step further, by bringing an example of a simple Authorization Profile that can be passed back to the router after successful authentication.

Figure 1 depicts the reference topology and shows the perspective of the router:

  • Auth-proxy is used to obtain the user credentials
  • The credentials are sent to the RADIUS Server for validation
Sample RADIUS Authorization Profile downloaded after Auth-Proxy

Figure 2, the natural companion of the previous one, brings some valuable information:

  • It illustrates the authorization task ( a natural follow-on to authentication). Remember that mere authentication (without differentiating users by means of authorization) is virtually meaningless. In our particular scenario, the attributes downloaded (“proxyacl#“), correspond to individual Access Control Entries (ACEs) that have been configured beneath the user group to which user1 belongs.
  • It highlights the user to IP mapping obtained after authentication
  • It shows how that the router is aware that Auth-proxy was the feature in charge of downloading the per-user ACEs.

Figure 2: Authorization within Auth-proxy environment

** Notes:

  • In a very similar fashion, the RADIUS server could had sent a Donwloadable ACL (DACL) to the router (instead of individual ACEs).
  • Actually, many other attributes could have been passed to the router during the authorization phase.
  • Rigorously speaking, RADIUS does not have a separate authorization process. It simply downloads some sort of authorization profile after successful authentication.
  • The baseline router configuration documented in the previous post works for several Auth-proxy environments. The definition of the RADIUS attributes to be sent to the router takes place on the server side (typically Cisco Secure ACS or, more recently, the Identity Services Engine).

** Related Posts:

Leave a comment

Filed under English, Identity, Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s