Ip auth−proxy

Similar Messages

• Ip auth-proxy form action is always IP address for HTTPS?

  I am trying to set up an ip auth-proxy on a 1840.
  It works, but results in https certificate error, as the authentication form is always submitted back to router using IP address in URL and not domain name that is in the certificate.
  ... <form method="post" action="https://10.10.10.11:443" target="pxywindow1"> ...
  Is there a way to make router send the form with domain name or at least relative URL and not IP address?
  With this certificate error, the feature cannot be possibly used in production environment.
  Thanks!
  Sergey

  Figured it out: I had not put in a default aaa authentication login default tacacas+ command. I didn't think it was necessary. I was wrong.

• ACS-Auth-proxy Security misconfig

  Hi,
  I have an issue with ACS and authentication proxy. It turns out that I want users to have only one session at a given time, but the ACS is allowing more than one session per user.
  Imagine the following sequence of events:
  1) user A logs in ok
  2) another user A tries to log in and is correctly blocked
  3) user B logs in ok
  4) another user B tries to log in and is correctly blocked
  5) If at this point another user A tries to log in, it is not blocked
  and I have the same user A account logged in twice.
  At this point, I can log another user B, without problem, resulting in two accounts conected for user B, wich is not what I want.
  The router config is attached.
  On the ACS Server, I have the User max session set to 1, and the auth-proxy priv-lvl is as follows:
  priv-lvl=15
  proxyacl#1=deny tcp any host 10.10.10.1 eq telnet ! this is to prevent users from telnetting into the rtr.
  proxyacl#2=permit ip any any
  proxyacl#3=permit icmp any any
  Any help you can provide, will be greatly appreciated.
  Regards,
  Eduardo

  Thanks for your reply, Darran.
  Yes, I have lines for accounting for things that I do not even plan to use, just to be on the safe side:
  aaa new-model
  aaa group server tacacs+ Oasis
  server 10.10.10.5
  aaa authentication login default group Oasis none
  aaa authorization exec default group Oasis none
  aaa authorization commands 15 default group Oasis none
  aaa authorization auth-proxy default group Oasis local
  aaa accounting send stop-record authentication failure
  aaa accounting auth-proxy default start-stop group Oasis
  aaa accounting commands 15 default start-stop group Oasis
  aaa accounting network default start-stop group Oasis
  aaa accounting system default start-stop group tacacs+ group Oasis
  aaa accounting resource default start-stop group Oasis
  aaa session-id common
  ip dhcp relay information trust-all
  ip dhcp excluded-address 10.10.10.1 10.10.10.10
  ip dhcp pool Oasis_dhcp
  import all
  network 10.10.10.0 255.255.255.0
  default-router 10.10.10.1
  dns-server xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
  lease infinite
  update arp
  ip auth-proxy auth-proxy-banner http
  ip auth-proxy auth-proxy-audit
  ip auth-proxy name acceso http inactivity-time 60
  ip admission auth-proxy-banner http
  ip admission auth-proxy-audit
  ip name-server xxx.xxx.xxx.xxx
  interface Vlan1
  description Switch Ethernet 4Ptos 10-100
  ip dhcp relay information trusted
  ip dhcp client update dns
  ip address 10.10.10.1 255.255.255.0
  ip access-group 150 in
  ip auth-proxy acceso
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip nat inside source list 20 interface Dialer1 overload
  Also, on the ACS, I have the Max sessions set to 1, but on the acs reports, I do not see any port re-used message.
  I have a lab with 4 pc?s and the ACS server (Win2003, standard).
  Again, thanks for your interest.
  Eduardo

• ASA auth-proxy timeout

  Hi, everyone
  I have a puzzle with ASA auth-proxy authentication timeout. I want to achieve the inactivity timeout, that is, when there are some traffic btw client and host through ASA after user authenticated, cache timeout timer don't work. When traffic is end, cache timeout timer work again.
  but when I configurate the ASA 7.0, I found if I have configurate the ASA timeout timer as absolute with the following command:
  timeout uauth 0:05:00 absolute
  I cannot change the timer to inactivity,
  but can changed to as below
  timeout uauth 0:05:00 absolute uauth 0:05:00 inactivity
  what is its meaning?
  and can user authentication timer change to inactivity?
  very thanks

  Use the timeout uauth absolute & inactivity values locally.
  Try the bug CSCsg52108
  http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/t_711.html#wp1318629

• Ip admission auth-proxy

  Platform:  881W
  IOS: C880-DATA-UNIVERSALK9-M 15.0(1)M3
  License:  I have tried both advsecurity and advipservices
  Problem:  Configuring an auth-proxy redirect on seccessful authentication
  Cisco's documentation states that when you are configuring auth-proxy, you may specify a url in which the clients will be redirected to when successfully authenticated.  The command is:
  ip admission proxy http success redirect <url-string>
  However, the command does not seem to exist on many of the latter IOS versions.  I am also unable to find any documentation with alternate methods of sending a redirection to the client after a successful authentication.  Is this command depricated?  Is there a more efficient method of redirecting?
  Documentation I am using:
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swwebauth.html#wp1103789
  Thank you,
  Dan

  Hello,
  Can anyone here help me call a URL that has an image into my consent page?
  I have an html page in the flash of the router called consent_page.html Here are two diffent methods I am using to attempt to get the logo to show up in the consent page. Any ideas how to make this part work? Everything else works.
  http://www.officemax.com"> SRC="/logo.gif" ALT="Company" WIDTH=246 HEIGHT=48>
  http://www.officemax.com"> SRC="http://www.officemax.com/images//header/logo.png" ALT="OfficeMax" WIDTH=246 HEIGHT=48>
  Warning!
  The web site you have tried to access may not conform to the company's Acceptable Usage Policy
  If you want to continue to this website click the "Accept" button below to proceed which will give you temporary access to this website. Please note that all web access is monitored.
  Free Internet Hotspot
  Terms of Service Agreement
  Company provides free Internet access under the condition that you agree to abide by the restrictions below.
  Responsibility of Use
  You are responsible for all content distributed, accessed, or viewed while connected to this service. Company is not liable for your actions while using this service.
  Limitation of Liability
  Company is not liable for any damages which result from your use of this service.

• Newbie with auth-proxy

  Hi,
  I need to allow and deny some user to go to the Internet, but I want to allow/deny only for http traffic.
  For exemple I dont want any user to have to authenticate if they want to use ftp.
  Is it possible with the auth-proxy? if yes any configuration exemple?
  In the exemple I saw, the user had to authenticate to then allow his computer to send any packet to the Internet.
  Thanks for your help.
  Cheers Gael

  Auth-proxy will authenticate the user only via HTTP, before they can send ANY traffic out. Going by your description this is not what you want.
  Lock-and-Key might be more what you want. See here for details:
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scflock.htm
  You could define an ACL to the inside interface allowing everything EXCEPT HTTP/HTTPS. Users doing FTP can just go straight out as normal then. Then define dynamic entries to this ACL that allow all traffic. For anyone to go out with HTTP/HTTPS they'd have to telnet to the router first, put in their login credentials, then they can browse out. Something like the following should work for you:
  interface ethernet0
  description Inside interface
  ip address 10.1.1.1 255.255.255.0
  ip access-group 101 in
  access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 80
  access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 443
  access-list 101 permit ip 10.1.1.0 0.0.0.255 any
  access-list 101 dynamic mytestlist timeout 120 permit ip any any
  line vty 0 4
  login local
  autocommand access-enable host timeout 5
  It takes a bit of user education in that they will have to be told how to use this (first telnet to the router at 10.1.1.1, login, then you can use HTTP traffic outbound), but should give you what you want.

• Is it possible to authenticate to proxy-auth automatically?

  Hello,
  We got a customer who want to allow some user (around 10) to access to the Internet and some not.
  So I was thinking auth-proxy may be the good solution.
  But is it possible to make a script (any config example?) who will allow the permitted user to access Internet without having to care or see this security level (so without having to give a username and a password).
  For information we are using DHCP and roaming profiles.
  Any Ideas?
  Many thanks in advances
  Gael

  As far as I know, you cannot do this

• Configuring AAA to include local auth for Console connections

  Recently realized, during a maintenance window, that my AAA configurations are not set to use local authentication if the AAA server is unavailable. Could use a little help in making sure I have the correct setup. Below is what I have configured today:
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authentication enable default group tacacs+
  aaa authorization auth-proxy default group tacacs+ 
  aaa accounting commands 15 default start-stop group tacacs+
  tacacs-server host x.x.x.x
  tacacs-server timeout 120
  tacacs-server directed-request
  tacacs-server key <key>

  Would I add that as a separate line, or to the current one? Examples:
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authentication enable default group tacacs+
  aaa authorization auth-proxy default group tacacs+ 
  aaa accounting commands 15 default start-stop group tacacs+
  aaa authorization console
      OR
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authentication enable default group tacacs+
  aaa authorization auth-proxy default group tacacs+ console
  aaa accounting commands 15 default start-stop group tacacs+

• Web-Proxy(cut-through) without ACS on 55xx

  Is it possible? All I have read about it requires an external server.

  I think that is a limitation of IOS Auth-Proxy and not ASA/PIX Cut-Through.
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfauthp.htm#wp1001164
  However AFAIK you can only authenticate using local password database and not authorize using it (for CUT-THRUOGH). Have a look at this table:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wp1069492
  Please rate if helpful.
  Regards
  Farrukh

• Wireless Downstream of a Proxy Server (AllegroSurf)

  Anyone know how I should go about setting up a wireless setup downstream of my AllegroSurf Proxy Server. Not sure how to get started. Have a new Linksys Router and having difficulty.
  Thx,
  Chuck

  Is Sonic Wall an authenticated proxy?  
  If so, say good bye to most apps, many apps either fail silently on connecting or even crash behind authenticated proxies - even when the authentication details are supplied in the wireless config
  I have iPads behind a smoothwall proxy (non-auth) and we have a proxy.pac file on our managment server.
  This proxy.pac (http://ipad/proxy.pac - set in Auto ) directs all iPad traffic to the smoothwall proxy, rather then our default auth proxy.
  Smoothwall can insert the authentication, and then direct it to your Sonic Wall

• Firefox MAC v30 with proxy needs authenticate"Cache Access Denied" sorry, you are not currently allowed to request: from this cache until you have authenticated

  Firefox was working perfectly before we've updated it to version 30.0. It seems that the new version does not like our Proxy setting which needs users to auth with their AD accounts.
  In the past version, Firefox will pop-up a box that allow you to type in the username and password, which works perfect. However, it does not pop-up anymore and gives me this error message.
  The following error was encountered:
  Cache Access Denied.
  Sorry, you are not currently allowed to request:
  http://www.google.com.au/url?
  from this cache until you have authenticated yourself.
  I try to manually set up the username in key chain and allow firefox to access it but Firefox seems do not access that key chain at all.
  Is anyone have the issue with the proxy which needs authenticate in Firefox30.0? Does anyone know the possible solutions?
  Many thanks!
  Shuopan
  ------------------------------------trouble shoot update-----------------------------------------
  Quite interestingly, Firefox will work for 1 minute after I am using Safari with that Auth proxy. However, if I am not touching Safari for 1 or 2 minutes, Firefox will stop working and pop up the similar error message.
  tried network.http.use-cache = false but not work
  Thanks

  Quite interestingly, Firefox will work for 1 minute after I am using Safari with that Auth proxy. However, if I am not touching Safari for 1 or 2 minutes, Firefox will stop working and pop up the similar error message.
  Thanks

• Is IOS FW Proxy Authentication Compatible w/ HTTPS server?

  Can proxy authentication be triggered via https as well as http? The document below on auth proxy only mentions http.
  But the following document on https shows that https is triggered by adding secure-server parameter to the end of "ip http". "ip http secure-serer". If anyone's tried this out - would be interested to know the result. Thanks.
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00804c3d75.html
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1833/products_feature_guide09186a00800d9eee.html

  I have tried this and it works. If you specify "ip http secure-server" command, the "Username/Password" dialogue between the end client and the authenticating agent will be secured. Otherwise the username/password is sent in clear text.

• Strange problem with cut-through proxy

  hi
  i have configured cut- through proxy on the router with acs.i am facing a strange problem .
  my routers's ethernet 3/0 interface ip add is 10.1.1.1/24 and the acs server is 10.1.1.2/24 and the host ip is 10.1.1.3/24
  my routers' e2/0 interface is connected a server running a website .
  int e2/0
  no shutdown
  ip add 20.1.1.1/24
  exit
  the webserver is running on 20.1.1.2
  my router's config
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authorization auth-proxy default group tacacs+
  aaa authorization exec default group tacacs+
  tacacs-server host 10.1.1.2
  tacacs-server key cisco
  ip http server
  ip http authentication aaa
  ip access-list 101 permit tcp host 10.1.1.2 eq tacacs host 10.1.1.1
  ip auth-proxy name auth http
  int e3/0
  no shutdown
  ip add 10.1.1.1/24
  ip access-group 101 in
  ip auth-proxy auth
  exit
  on the acs server in the tacacs+ ios
  i have selected auth-proxy in the services for users and groups
  i have created a user john with privilege level 15
  have selected auth-proxy and custom attributes
  proxyacl#1=permit tcp any any priv-lvl=15
  i get the auth-proxy login page when the host on 10.1.1.3 is trying to access 20.1.1.2 web site .
  after putting the login credentials i get authentication failed
  i tried the debug. i see the router is sending the authentication login and password and getting the status from the acs as pass. i also see the auth-proxy triggered. in there i see
  AUTH-PROXY PROTOCOL NOT CONFIGURED.
  could someone pls help me what could be the problem. i am have tried many times to get this work. but not fortunate enough.
  am i missing on any commands on the router or on the acs. i tried doing as the example mentioned in the student guide but still failed. pls help. waiting for some reply.
  sebastan

  Check out the following link...
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b5e.html

• Firefox does not redirect users to web auth page

  I have a client that uses web auth for the guest wireless.  When a users opens up FF, it does not automatically redirect them to the web auth page.  However, IE and Chrome work fine.  If you copy and paste the redirection page into FF, it will go to the page then.  The only two possible solutions I have found are to either enable web auth proxy or regenerate the WLC self-signed cert. 
  Anyone have any other ideas? 
  TIA,
  Dan

  I've been trying to figure out a very similar issue where Firefox wouldn't open the guest webpage (the connection was interrupted) and finally found it was caused by opening Yahoo as my startup page. I change it to Google, for example, and it comes up everytime now. When set to Yahoo I could clear my cache and it would work once but then wouldn't work again. If I load Yahoo as the startup page in IE it works everytime. Very strange.
  Here's what the debug looks like:
  *webauthRedirect: Jul 23 20:59:33.793: xx:xx:xx:xx:xx:xx- received connection
  *webauthRedirect: Jul 23 20:59:33.794: xx:xx:xx:xx:xx:xx- received connection
  *webauthRedirect: Jul 23 20:59:33.795: xx:xx:xx:xx:xx:xx- received request
  *webauthRedirect: Jul 23 20:59:33.803: xx:xx:xx:xx:xx:xx- received connection
  *webauthRedirect: Jul 23 20:59:33.803: xx:xx:xx:xx:xx:xx- received request
  *webauthRedirect: Jul 23 20:59:33.806: xx:xx:xx:xx:xx:xx- received connection
  *webauthRedirect: Jul 23 20:59:33.807: xx:xx:xx:xx:xx:xx- received request
  *webauthRedirect: Jul 23 20:59:33.810: xx:xx:xx:xx:xx:xx- received connection

• Custmizing Authentication Proxy

  We want to use auth-proxy on a Cisco 836 with IOS 12T3 in order to provide WLAN access as if in an airport lounge or a hotel. The login page sent to the browser is to be customized with regard to look and feel. I've been able to do that with "ip auth-proxy banner file flash://login.html" and "ip adminission auth-proxy banner file flash://login.html", but the actual FORM is created on the fly by the router with a hidden time form element. Can you give us details on how the HTML form can be customized with the regard to the individual fields on the form?

  I have read that guide before, but it says it that auth proxy works with vpn and that
  If a VPN client initiates an HTTP connection, the authentication proxy first checks for prior client authentication. If the client is authenticated, authorized traffic is permitted. If the client is not authenticated, the HTTP request triggers the authentication proxy, and the user is prompted for a username and password.
  If the user authentication is successful, the authentication proxy retrieves the user profile from the AAA server. The source address in the user profile entries is replaced with the IP address of the authenticated VPN client from the decrypted packet.
  The only way I could make an impact with auth proxy on the vpn behaviour was when I configured a split-tunnel rule for the vpnclient which points only sends traffic to a non-existent internal network via the vpntunnel. Only then would auth-proxy insert additional rules that allow access to more destinations.
  As VPN without split-tunnel already allows access to all destinations I don't see how
  auth-proxy can make a difference
  Doro