Authentication Proxy
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||||||||||||||
|
Posted by Andre Wisniewski on July 27, 2008, 8:49 am
Please log in for more thread options On a Cisco 876 i set up an auth-proxy which works fine for accessing websites. Is it possible to block mail traffic as well until authorization? Thanks, Andre | |||||||||||||||||||||||||||||||
|
Posted by News Reader on July 28, 2008, 9:37 am
Please log in for more thread options Yes. If you refrain from permitting access to mail in your interface ACL, and only permit it in the auth-proxy ACL (downloaded upon successful authentication), then access to mail becomes part of the security policy controlled via auth-proxy. Best Regards, News Reader | |||||||||||||||||||||||||||||||
|
Posted by Andre Wisniewski on July 29, 2008, 1:27 pm
Please log in for more thread options News Reader wrote:
> Andre Wisniewski wrote:
>> Hello
>> >> On a Cisco 876 i set up an auth-proxy which works fine for accessing >> websites. Is it possible to block mail traffic as well until >> authorization? >> >> Thanks, >> >> Andre >
> > Yes. > > If you refrain from permitting access to mail in your interface ACL, and > only permit it in the auth-proxy ACL (downloaded upon successful > authentication), then access to mail becomes part of the security policy > controlled via auth-proxy. > > > Best Regards, > News Reader Quite simple. That helped. Thanks! | |||||||||||||||||||||||||||||||
|
Posted by News Reader on July 29, 2008, 2:55 pm
Please log in for more thread options Andre Wisniewski wrote:
> News Reader wrote:
>> Andre Wisniewski wrote:
>>> Hello
>>> >>> On a Cisco 876 i set up an auth-proxy which works fine for accessing >>> websites. Is it possible to block mail traffic as well until >>> authorization? >>> >>> Thanks, >>> >>> Andre >>
>> >> Yes. >> >> If you refrain from permitting access to mail in your interface ACL, >> and only permit it in the auth-proxy ACL (downloaded upon successful >> authentication), then access to mail becomes part of the security >> policy controlled via auth-proxy. >> >> >> Best Regards, >> News Reader >
> Quite simple. That helped. Thanks! Your welcome. Although you've not indicated a need, I thought I would provide the following observation that may prove beneficial some day: When configuring auth-proxy ACLs in Cisco Secure ACS, I found it necessary to use the keyword "any" as the source in an auth-proxy ACE. The resulting temporary ACE added to the interface ACL specified the authenticated IP address as the source. When I tried configuring the auth-proxy ACE with a specific host address as the source, the ACE was passed to the AAA Client, but it was not added to the interface ACL, and therefore policy was not successfully implemented. Best Regards, News Reader | |||||||||||||||||||||||||||||||
|
Posted by News Reader on July 29, 2008, 2:57 pm
Please log in for more thread options Andre Wisniewski wrote:
> News Reader wrote:
>> Andre Wisniewski wrote:
>>> Hello
>>> >>> On a Cisco 876 i set up an auth-proxy which works fine for accessing >>> websites. Is it possible to block mail traffic as well until >>> authorization? >>> >>> Thanks, >>> >>> Andre >>
>> >> Yes. >> >> If you refrain from permitting access to mail in your interface ACL, >> and only permit it in the auth-proxy ACL (downloaded upon successful >> authentication), then access to mail becomes part of the security >> policy controlled via auth-proxy. >> >> >> Best Regards, >> News Reader >
> Quite simple. That helped. Thanks! You're welcome. Although you've not indicated a need, I thought I would provide the following observation that may prove beneficial some day: When configuring auth-proxy ACLs in Cisco Secure ACS, I found it necessary to use the keyword "any" as the source in an auth-proxy ACE. The resulting temporary ACE added to the interface ACL specified the authenticated IP address as the source. When I tried configuring the auth-proxy ACE with a specific host address as the source, the ACE was passed to the AAA Client, but it was not added to the interface ACL, and therefore policy was not successfully implemented. Best Regards, News Reader | |||||||||||||||||||||||||||||||
| Similar Threads | Posted |
| IOS Authentication Proxy | May 27, 2008, 4:00 pm |
| Authentication Proxy | July 27, 2008, 8:49 am |
| Proxy with PIX | January 10, 2006, 8:42 am |
| 2 to 1 Proxy | August 28, 2006, 3:40 pm |
| PIX 501 as a DHCP proxy | December 20, 2005, 6:00 am |
| Router as DNS proxy. | February 24, 2006, 7:49 pm |
| Cisco 837 - how to set up DNS proxy? Bug in IOS? | May 27, 2006, 5:01 am |
| proxy arp vs vlan | June 12, 2006, 2:42 pm |
| proxy arp question | July 7, 2006, 6:28 pm |
| Re: Cisco NAT / Proxy | July 31, 2006, 11:13 pm |
| IGMP Proxy | August 9, 2006, 2:07 pm |
| Proxy and CBAC. | August 28, 2006, 6:03 am |
| Proxy Service on Pix | June 29, 2005, 7:55 am |
| proxy bypass | January 5, 2007, 9:09 am |
| Transparent Proxy | April 21, 2008, 9:55 pm |
>
> On a Cisco 876 i set up an auth-proxy which works fine for accessing
> websites. Is it possible to block mail traffic as well until authorization?
>
> Thanks,
>
> Andre