Ip auth−proxy
Can somebody explain me meaning of follwoing commands in the link given below.
1)aaa authentication login default local group RTP none
In this command default is local will it prompt user to TACACS 1st.
2)ip auth−proxy name list_a http and ip auth−proxy list_a
what is the meaning of putting these command .
3) access−list 116 permit tcp host 40.31.1.47 host 40.31.1.150 eq www
why this access-list is required.
4) there is no access-list from host to webserver ??
3)
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a0080094655.shtml
1> This command will try first to authenticate using a local database (username john password 0 doe
) if it returns an error (if you dont set any username, I believe) it will try the TACACS server.
2>ip auth-proxy name list_a http
This command creates a named authentication proxy rule, and it allows you to associate that rule with an access control list (ACL), providing control over which hosts use the authentication proxy.
Because an access list is not specified in the rule, all connection-initiating HTTP traffic is subjected to authentication.
ip auth-proxy list_a
The rule is applied to an interface on a router using this command
3>
ACL 116 is blocking traffic from the host 10.31.1.47 to other webservers (it only allows it to talk with the router).
After authenticating , new lines will be added to the front of the ACL and then it will be allowed to talk to the webserver.
HTH,
rate this post if it does,
vlad
Similar Messages
-
Ip auth-proxy form action is always IP address for HTTPS?
I am trying to set up an ip auth-proxy on a 1840.
It works, but results in https certificate error, as the authentication form is always submitted back to router using IP address in URL and not domain name that is in the certificate.
... <form method="post" action="https://10.10.10.11:443" target="pxywindow1"> ...
Is there a way to make router send the form with domain name or at least relative URL and not IP address?
With this certificate error, the feature cannot be possibly used in production environment.
Thanks!
SergeyFigured it out: I had not put in a default aaa authentication login default tacacas+ command. I didn't think it was necessary. I was wrong.
-
ACS-Auth-proxy Security misconfig
Hi,
I have an issue with ACS and authentication proxy. It turns out that I want users to have only one session at a given time, but the ACS is allowing more than one session per user.
Imagine the following sequence of events:
1) user A logs in ok
2) another user A tries to log in and is correctly blocked
3) user B logs in ok
4) another user B tries to log in and is correctly blocked
5) If at this point another user A tries to log in, it is not blocked
and I have the same user A account logged in twice.
At this point, I can log another user B, without problem, resulting in two accounts conected for user B, wich is not what I want.
The router config is attached.
On the ACS Server, I have the User max session set to 1, and the auth-proxy priv-lvl is as follows:
priv-lvl=15
proxyacl#1=deny tcp any host 10.10.10.1 eq telnet ! this is to prevent users from telnetting into the rtr.
proxyacl#2=permit ip any any
proxyacl#3=permit icmp any any
Any help you can provide, will be greatly appreciated.
Regards,
EduardoThanks for your reply, Darran.
Yes, I have lines for accounting for things that I do not even plan to use, just to be on the safe side:
aaa new-model
aaa group server tacacs+ Oasis
server 10.10.10.5
aaa authentication login default group Oasis none
aaa authorization exec default group Oasis none
aaa authorization commands 15 default group Oasis none
aaa authorization auth-proxy default group Oasis local
aaa accounting send stop-record authentication failure
aaa accounting auth-proxy default start-stop group Oasis
aaa accounting commands 15 default start-stop group Oasis
aaa accounting network default start-stop group Oasis
aaa accounting system default start-stop group tacacs+ group Oasis
aaa accounting resource default start-stop group Oasis
aaa session-id common
ip dhcp relay information trust-all
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp pool Oasis_dhcp
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
lease infinite
update arp
ip auth-proxy auth-proxy-banner http
ip auth-proxy auth-proxy-audit
ip auth-proxy name acceso http inactivity-time 60
ip admission auth-proxy-banner http
ip admission auth-proxy-audit
ip name-server xxx.xxx.xxx.xxx
interface Vlan1
description Switch Ethernet 4Ptos 10-100
ip dhcp relay information trusted
ip dhcp client update dns
ip address 10.10.10.1 255.255.255.0
ip access-group 150 in
ip auth-proxy acceso
ip http server
ip http authentication aaa
no ip http secure-server
ip nat inside source list 20 interface Dialer1 overload
Also, on the ACS, I have the Max sessions set to 1, but on the acs reports, I do not see any port re-used message.
I have a lab with 4 pc?s and the ACS server (Win2003, standard).
Again, thanks for your interest.
Eduardo -
Hi, everyone
I have a puzzle with ASA auth-proxy authentication timeout. I want to achieve the inactivity timeout, that is, when there are some traffic btw client and host through ASA after user authenticated, cache timeout timer don't work. When traffic is end, cache timeout timer work again.
but when I configurate the ASA 7.0, I found if I have configurate the ASA timeout timer as absolute with the following command:
timeout uauth 0:05:00 absolute
I cannot change the timer to inactivity,
but can changed to as below
timeout uauth 0:05:00 absolute uauth 0:05:00 inactivity
what is its meaning?
and can user authentication timer change to inactivity?
very thanksUse the timeout uauth absolute & inactivity values locally.
Try the bug CSCsg52108
http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/t_711.html#wp1318629 -
Platform: 881W
IOS: C880-DATA-UNIVERSALK9-M 15.0(1)M3
License: I have tried both advsecurity and advipservices
Problem: Configuring an auth-proxy redirect on seccessful authentication
Cisco's documentation states that when you are configuring auth-proxy, you may specify a url in which the clients will be redirected to when successfully authenticated. The command is:
ip admission proxy http success redirect <url-string>
However, the command does not seem to exist on many of the latter IOS versions. I am also unable to find any documentation with alternate methods of sending a redirection to the client after a successful authentication. Is this command depricated? Is there a more efficient method of redirecting?
Documentation I am using:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swwebauth.html#wp1103789
Thank you,
DanHello,
Can anyone here help me call a URL that has an image into my consent page?
I have an html page in the flash of the router called consent_page.html Here are two diffent methods I am using to attempt to get the logo to show up in the consent page. Any ideas how to make this part work? Everything else works.
http://www.officemax.com"> SRC="/logo.gif" ALT="Company" WIDTH=246 HEIGHT=48>
http://www.officemax.com"> SRC="http://www.officemax.com/images//header/logo.png" ALT="OfficeMax" WIDTH=246 HEIGHT=48>
Warning!
The web site you have tried to access may not conform to the company's Acceptable Usage Policy
If you want to continue to this website click the "Accept" button below to proceed which will give you temporary access to this website. Please note that all web access is monitored.
Free Internet Hotspot
Terms of Service Agreement
Company provides free Internet access under the condition that you agree to abide by the restrictions below.
Responsibility of Use
You are responsible for all content distributed, accessed, or viewed while connected to this service. Company is not liable for your actions while using this service.
Limitation of Liability
Company is not liable for any damages which result from your use of this service. -
Hi,
I need to allow and deny some user to go to the Internet, but I want to allow/deny only for http traffic.
For exemple I dont want any user to have to authenticate if they want to use ftp.
Is it possible with the auth-proxy? if yes any configuration exemple?
In the exemple I saw, the user had to authenticate to then allow his computer to send any packet to the Internet.
Thanks for your help.
Cheers GaelAuth-proxy will authenticate the user only via HTTP, before they can send ANY traffic out. Going by your description this is not what you want.
Lock-and-Key might be more what you want. See here for details:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scflock.htm
You could define an ACL to the inside interface allowing everything EXCEPT HTTP/HTTPS. Users doing FTP can just go straight out as normal then. Then define dynamic entries to this ACL that allow all traffic. For anyone to go out with HTTP/HTTPS they'd have to telnet to the router first, put in their login credentials, then they can browse out. Something like the following should work for you:
interface ethernet0
description Inside interface
ip address 10.1.1.1 255.255.255.0
ip access-group 101 in
access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 80
access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 dynamic mytestlist timeout 120 permit ip any any
line vty 0 4
login local
autocommand access-enable host timeout 5
It takes a bit of user education in that they will have to be told how to use this (first telnet to the router at 10.1.1.1, login, then you can use HTTP traffic outbound), but should give you what you want. -
Is it possible to authenticate to proxy-auth automatically?
Hello,
We got a customer who want to allow some user (around 10) to access to the Internet and some not.
So I was thinking auth-proxy may be the good solution.
But is it possible to make a script (any config example?) who will allow the permitted user to access Internet without having to care or see this security level (so without having to give a username and a password).
For information we are using DHCP and roaming profiles.
Any Ideas?
Many thanks in advances
GaelAs far as I know, you cannot do this
-
Configuring AAA to include local auth for Console connections
Recently realized, during a maintenance window, that my AAA configurations are not set to use local authentication if the AAA server is unavailable. Could use a little help in making sure I have the correct setup. Below is what I have configured today:
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host x.x.x.x
tacacs-server timeout 120
tacacs-server directed-request
tacacs-server key <key>Would I add that as a separate line, or to the current one? Examples:
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa authorization console
OR
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ console
aaa accounting commands 15 default start-stop group tacacs+ -
Web-Proxy(cut-through) without ACS on 55xx
Is it possible? All I have read about it requires an external server.
I think that is a limitation of IOS Auth-Proxy and not ASA/PIX Cut-Through.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfauthp.htm#wp1001164
However AFAIK you can only authenticate using local password database and not authorize using it (for CUT-THRUOGH). Have a look at this table:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wp1069492
Please rate if helpful.
Regards
Farrukh -
Wireless Downstream of a Proxy Server (AllegroSurf)
Anyone know how I should go about setting up a wireless setup downstream of my AllegroSurf Proxy Server. Not sure how to get started. Have a new Linksys Router and having difficulty.
Thx,
ChuckIs Sonic Wall an authenticated proxy?
If so, say good bye to most apps, many apps either fail silently on connecting or even crash behind authenticated proxies - even when the authentication details are supplied in the wireless config
I have iPads behind a smoothwall proxy (non-auth) and we have a proxy.pac file on our managment server.
This proxy.pac (http://ipad/proxy.pac - set in Auto ) directs all iPad traffic to the smoothwall proxy, rather then our default auth proxy.
Smoothwall can insert the authentication, and then direct it to your Sonic Wall -
Firefox was working perfectly before we've updated it to version 30.0. It seems that the new version does not like our Proxy setting which needs users to auth with their AD accounts.
In the past version, Firefox will pop-up a box that allow you to type in the username and password, which works perfect. However, it does not pop-up anymore and gives me this error message.
The following error was encountered:
Cache Access Denied.
Sorry, you are not currently allowed to request:
http://www.google.com.au/url?
from this cache until you have authenticated yourself.
I try to manually set up the username in key chain and allow firefox to access it but Firefox seems do not access that key chain at all.
Is anyone have the issue with the proxy which needs authenticate in Firefox30.0? Does anyone know the possible solutions?
Many thanks!
Shuopan
------------------------------------trouble shoot update-----------------------------------------
Quite interestingly, Firefox will work for 1 minute after I am using Safari with that Auth proxy. However, if I am not touching Safari for 1 or 2 minutes, Firefox will stop working and pop up the similar error message.
tried network.http.use-cache = false but not work
ThanksQuite interestingly, Firefox will work for 1 minute after I am using Safari with that Auth proxy. However, if I am not touching Safari for 1 or 2 minutes, Firefox will stop working and pop up the similar error message.
Thanks -
Is IOS FW Proxy Authentication Compatible w/ HTTPS server?
Can proxy authentication be triggered via https as well as http? The document below on auth proxy only mentions http.
But the following document on https shows that https is triggered by adding secure-server parameter to the end of "ip http". "ip http secure-serer". If anyone's tried this out - would be interested to know the result. Thanks.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00804c3d75.html
http://www.cisco.com/en/US/products/sw/iosswrel/ps1833/products_feature_guide09186a00800d9eee.htmlI have tried this and it works. If you specify "ip http secure-server" command, the "Username/Password" dialogue between the end client and the authenticating agent will be secured. Otherwise the username/password is sent in clear text.
-
Strange problem with cut-through proxy
hi
i have configured cut- through proxy on the router with acs.i am facing a strange problem .
my routers's ethernet 3/0 interface ip add is 10.1.1.1/24 and the acs server is 10.1.1.2/24 and the host ip is 10.1.1.3/24
my routers' e2/0 interface is connected a server running a website .
int e2/0
no shutdown
ip add 20.1.1.1/24
exit
the webserver is running on 20.1.1.2
my router's config
aaa new-model
aaa authentication login default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa authorization exec default group tacacs+
tacacs-server host 10.1.1.2
tacacs-server key cisco
ip http server
ip http authentication aaa
ip access-list 101 permit tcp host 10.1.1.2 eq tacacs host 10.1.1.1
ip auth-proxy name auth http
int e3/0
no shutdown
ip add 10.1.1.1/24
ip access-group 101 in
ip auth-proxy auth
exit
on the acs server in the tacacs+ ios
i have selected auth-proxy in the services for users and groups
i have created a user john with privilege level 15
have selected auth-proxy and custom attributes
proxyacl#1=permit tcp any any priv-lvl=15
i get the auth-proxy login page when the host on 10.1.1.3 is trying to access 20.1.1.2 web site .
after putting the login credentials i get authentication failed
i tried the debug. i see the router is sending the authentication login and password and getting the status from the acs as pass. i also see the auth-proxy triggered. in there i see
AUTH-PROXY PROTOCOL NOT CONFIGURED.
could someone pls help me what could be the problem. i am have tried many times to get this work. but not fortunate enough.
am i missing on any commands on the router or on the acs. i tried doing as the example mentioned in the student guide but still failed. pls help. waiting for some reply.
sebastanCheck out the following link...
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b5e.html -
Firefox does not redirect users to web auth page
I have a client that uses web auth for the guest wireless. When a users opens up FF, it does not automatically redirect them to the web auth page. However, IE and Chrome work fine. If you copy and paste the redirection page into FF, it will go to the page then. The only two possible solutions I have found are to either enable web auth proxy or regenerate the WLC self-signed cert.
Anyone have any other ideas?
TIA,
DanI've been trying to figure out a very similar issue where Firefox wouldn't open the guest webpage (the connection was interrupted) and finally found it was caused by opening Yahoo as my startup page. I change it to Google, for example, and it comes up everytime now. When set to Yahoo I could clear my cache and it would work once but then wouldn't work again. If I load Yahoo as the startup page in IE it works everytime. Very strange.
Here's what the debug looks like:
*webauthRedirect: Jul 23 20:59:33.793: xx:xx:xx:xx:xx:xx- received connection
*webauthRedirect: Jul 23 20:59:33.794: xx:xx:xx:xx:xx:xx- received connection
*webauthRedirect: Jul 23 20:59:33.795: xx:xx:xx:xx:xx:xx- received request
*webauthRedirect: Jul 23 20:59:33.803: xx:xx:xx:xx:xx:xx- received connection
*webauthRedirect: Jul 23 20:59:33.803: xx:xx:xx:xx:xx:xx- received request
*webauthRedirect: Jul 23 20:59:33.806: xx:xx:xx:xx:xx:xx- received connection
*webauthRedirect: Jul 23 20:59:33.807: xx:xx:xx:xx:xx:xx- received request
*webauthRedirect: Jul 23 20:59:33.810: xx:xx:xx:xx:xx:xx- received connection -
Custmizing Authentication Proxy
We want to use auth-proxy on a Cisco 836 with IOS 12T3 in order to provide WLAN access as if in an airport lounge or a hotel. The login page sent to the browser is to be customized with regard to look and feel. I've been able to do that with "ip auth-proxy banner file flash://login.html" and "ip adminission auth-proxy banner file flash://login.html", but the actual FORM is created on the fly by the router with a hidden time form element. Can you give us details on how the HTML form can be customized with the regard to the individual fields on the form?
I have read that guide before, but it says it that auth proxy works with vpn and that
If a VPN client initiates an HTTP connection, the authentication proxy first checks for prior client authentication. If the client is authenticated, authorized traffic is permitted. If the client is not authenticated, the HTTP request triggers the authentication proxy, and the user is prompted for a username and password.
If the user authentication is successful, the authentication proxy retrieves the user profile from the AAA server. The source address in the user profile entries is replaced with the IP address of the authenticated VPN client from the decrypted packet.
The only way I could make an impact with auth proxy on the vpn behaviour was when I configured a split-tunnel rule for the vpnclient which points only sends traffic to a non-existent internal network via the vpntunnel. Only then would auth-proxy insert additional rules that allow access to more destinations.
As VPN without split-tunnel already allows access to all destinations I don't see how
auth-proxy can make a difference
Doro
Maybe you are looking for
-
Cross-currency clearing problem
Hi, Foreign cross-currency clearing btw USD & EUR is a business requirement for us (local currency is TRY). In order to do this right we maintain exchange rate table for cross currency rates btw USD & EUR. However in clearing transaction code (F-44),
-
I' d just want my iPhone didn't alert on Holyday, but I don't want to hide the Holyday calendar. Default alert can't be set. Thank you.
-
Greetings. My iPhoto is not responding. All I see is a blank gray screen. I can still see the listing of photo albums along the left size but can't see any photos in the album that is currently open. Program is frozen. Any suggestions? Thank you for
-
Does JMF Support multilingual absolute paths for video playback?
Hi everyone, I hope I can find some answer here. Does JMF supports multilingual paths for videos? E.g. I have a video located by the following URL: G:\video\Stürmische\video.mp4 When I try to open this video by JMF, I get the following Exception: Pro
-
How do you resize a saved image to fit the screen of an iPad mini? My mams having problems with her iPad mini. She has saved an image to her camera roll, and whenever she goes to make it her wallpaper it blows up so that the image is bigger than she