First, you'll need a Cisco router in place with Firewall IOS version 12.0.5.T or later (preferably a later version, since the IOS is now up to 12.2). You'll also need one of the RADIUS or TACACS+ servers mentioned earlier running on your network. The router will be the HTTP proxy connection to the external network (be it the Internet or just a Web server that you want to protect with authentication). The AAA server will be the point that provides authentication (by your username and password) and authorisation of what you will be allowed to access once you are authenticated. (The access list given to the router from the server.) Next, you can configure your router with the proper commands, shown in Listing A.
Finally, you need to be ready to troubleshoot your configuration because, based on my experience, I wouldn't expect this to work the first time it is configured. You'll need to look at the log on your RADIUS or TACACS+ server to see the successful and failed authentications. You can use the IOS debug commands to see what the router is doing: debug aaa authentication
debug aaa authorization
debug ip auth-proxy object-creation
debug ip http authorization
debug ip packet detail [don't perform this on a production router] And of course, you have the IOS show commands, which can also aid your troubleshooting efforts: show ip access-lists
show ip auth-proxy cache
show ip auth-proxy configuration Summary
HTTP authentication proxy is another of the many fascinating features of the Cisco IOS. In its current state, I don't foresee it becoming the standard office proxy server, but it's a good tool for administrators to add to their collection of possible solutions. If you want to restrict Internet access to Web browsing, this solution could be a money-saver, allowing you to circumvent the purchase of a separate proxy server or appliance. It also provides strong authentication and auditing features that could be a nice asset for your network security.
Links and references
Cisco: Implementing Authentication Proxy
Cisco: Troubleshooting Authentication Proxy
Cisco: Authentication Proxy Authentication Outbound -- No CBAC or NAT Configuration
Cisco: Authentication Proxy Accounting for HTTP
Cisco: RADIUS Support Page
Cisco: TACACS+ Support Page
Cisco: Configuring Authentication Proxy
Cisco: Authentication Proxy Commands
Cisco: Cisco Secure Access Control Server
Cisco: Cisco Secure Access Control Server Download Page
Have your say instantly in the Tech Update forum.
Find out what's where in the new Tech Update with our Guided Tour.
Let the editors know what you think in the Mailroom.
