AAA: Configuring authentication proxy

Written by Alexei Spirin

Saturday, 02 February 2008 16:30

I. IOS_Radius/Tacacs+ Configuration

1) Interface->Tacacs->New Services add auth-proxy

2) Group/User check the auth-proxy and add:

ACS GUI config: TACACS+ downloadable ACL example

priv-lvl=15
proxyacl#1=permit icmp any any
proxyacl#2=permit tcp any any eq 80

ACS GUI config: RADIUS downloadable ACL example

auth-proxy:priv-lvl=15
auth-proxy:proxyacl#1=permit icmp any any

Note: source 'any' keyword changes to user IP-address after successfull user authentication .

II. IOS configuration

IOS config: command authorization

aaa new-model
aaa authentication login default group [tacacs|radius] local
aaa authorization auth-proxy default group [tacacs|radius]
aaa accounting auth-proxy default start-stop group [tacacs|radius]
!
ip auth-proxy name AProxy http
!
int fa 0/0
desc Intf to clients
ip auth-proxy AProxy
ip access-group tt in
!
int fa 0/1
desc Intf to ACS, Web
!
access-list 1 deny any
!
ip access-list extended tt
deny ip any any
!
ip http server
ip http authentication aaa
ip http access-class 1
!
radius-server host 1.1.1.1 key cisco
tacacs-server host 1.1.1.1 key cisco

Last Updated on Saturday, 25 October 2008 10:06

Popular

Latest