Hello
On a Cisco 876 i set up an auth-proxy which works fine for accessing websites. Is it possible to block mail traffic as well until authorization?
Thanks,
Andre
Hello
On a Cisco 876 i set up an auth-proxy which works fine for accessing websites. Is it possible to block mail traffic as well until authorization?
Thanks,
Andre
Yes.
If you refrain from permitting access to mail in your interface ACL, and only permit it in the auth-proxy ACL (downloaded upon successful authentication), then access to mail becomes part of the security policy controlled via auth-proxy.
Best Regards, News Reader
Quite simple. That helped. Thanks!
Your welcome.
Although you've not indicated a need, I thought I would provide the following observation that may prove beneficial some day:
When configuring auth-proxy ACLs in Cisco Secure ACS, I found it necessary to use the keyword "any" as the source in an auth-proxy ACE. The resulting temporary ACE added to the interface ACL specified the authenticated IP address as the source.
When I tried configuring the auth-proxy ACE with a specific host address as the source, the ACE was passed to the AAA Client, but it was not added to the interface ACL, and therefore policy was not successfully implemented.
Best Regards, News Reader
You're welcome.
Although you've not indicated a need, I thought I would provide the following observation that may prove beneficial some day:
When configuring auth-proxy ACLs in Cisco Secure ACS, I found it necessary to use the keyword "any" as the source in an auth-proxy ACE. The resulting temporary ACE added to the interface ACL specified the authenticated IP address as the source.
When I tried configuring the auth-proxy ACE with a specific host address as the source, the ACE was passed to the AAA Client, but it was not added to the interface ACL, and therefore policy was not successfully implemented.
Best Regards, News Reader
I'm using neither "any" nor a specific host. I added two networks to my auth-proxy ACL.
permit ip 192.168.250.0 0.0.0.255 any permit ip 192.168.251.0 0.0.0.255 any
All worked fine.
Thanks for your advice
Cheers, Andre
Why would you be doing that?
Auth-proxy is applied on the ingress interface. The ACEs downloaded from the AAA server are installed above the ACEs on the inbound ACL of the near side (ingress) interface, and the outbound ACL of the far side (egress) interface(s).
The intent is to authorize specific "destination" addresses and protocols for the authenticated user, not to open a flood gate for whole "source" networks to any destination.
Perhaps you should examine your interface ACLs following authentication, and verify that the temporary ACEs reflect the policy intended.
Best Regards, News Reader
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.