The goal of this lab is to get auth-proxy configured on R1, so that when the client tries to establish a http session to the web-server (10.0.0.111 which also happens to be the AAA/ACS server in my scenario) he will have to authenticate to access the server (as per CCIE security LAB i won't be covering basic connectivity configs).Here's a breakdown of the tasks we have to do in order to acomplish this:
1- Configure AAA on the router, and make the required configurations on the ACS
2- Configure http server on the router
3- Configure auth-proxy
4- Apply auth proxy to the interface
Now let's go about it point by point:
1- AAA
For auth-proxy to work the router must get a auth-proxy ACL from to the ACS server, for this to work using ACS and TACACS+ you will have to configure the TACACS+ interface and add a new service to it as shown in the picture below:
After you configured the interface, you must configure the group that you will using for auth-proxy with custom-attributes for auth-proxy, the attributes are actually the ACL that the router will receive upon sucessfull authentication of a user for the auth-proxy service:
Now that we've configured the ACS side (i'm skipping the basics like configuring clients and key, and users), let´s move on to the router.
R1(config)# aaa new-model R1(config)# tacacs-server host 10.0.0.111 key 1234 R1(config)# aaa authentication login default group tacacs+
Take care not to lock yourself out :-)
2- Configure http server on the router
R1(config)# ip http server R1(config)# ip http authentication aaa R1(config)# ip http access-class 10
In my case i just configured ACL 10 to allow any host.
3- Configure auth-proxy
R1(config)# ip auth-proxy auth-cache-time 2 R1(config)# ip auth-proxy name teste_auth http
I set the innactivity timer to 2 minutes.
4- Apply auth proxy to the interface
R1(config)# int fastEthernet 1/0
R1(config-if)# ip auth-proxy teste_auth
And now let's test it:
And we're done!
For more resources on auth proxy look at:
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/iosfw2_1.html
http://www.wr-mem.com/?p=111
No comments:
Post a Comment