The previous article presented the basic theory behind the Authentication Proxy (Auth-proxy) functionality on Cisco IOS Software. The current post goes one step further, by bringing an example of a simple Authorization Profile that can be passed back to the router after successful authentication.
Figure 1 depicts the reference topology and shows the perspective of the router:
- Auth-proxy is used to obtain the user credentials
- The credentials are sent to the RADIUS Server for validation
Figure 2, the natural companion of the previous one, brings some valuable information:
- It illustrates the authorization task ( a natural follow-on to authentication). Remember that mere authentication (without differentiating users by means of authorization) is virtually meaningless. In our particular scenario, the attributes downloaded (“proxyacl#“), correspond to individual Access Control Entries (ACEs) that have been configured beneath the user group to which user1 belongs.
- It highlights the user to IP mapping obtained after authentication
- It shows how that the router is aware that Auth-proxy was the feature in charge of downloading the per-user ACEs.
- In a very similar fashion, the RADIUS server could had sent a Donwloadable ACL (DACL) to the router (instead of individual ACEs).
- Actually, many other attributes could have been passed to the router during the authorization phase.
- Rigorously speaking, RADIUS does not have a separate authorization process. It simply downloads some sort of authorization profile after successful authentication.
- The baseline router configuration documented in the previous post works for several Auth-proxy environments. The definition of the RADIUS attributes to be sent to the router takes place on the server side (typically Cisco Secure ACS or, more recently, the Identity Services Engine).
** Related Posts:
- Identity Series: https://alexandremspmoraes.wordpress.com/tag/identity/
- The following article describes the evolution of Identity capabilities on Firewalls: http://wp.me/p1loe7-l2