Authentication Proxy

- A
- Andre Wisniewski
  
  Contact options for registered users
posted
15 years ago

Sun, Jul 27, 2008 12:49 PM

Hello

On a Cisco 876 i set up an auth-proxy which works fine for accessing websites. Is it possible to block mail traffic as well until authorization?

Thanks,

Andre

- N
- News Reader
  
  Contact options for registered users
Vote on answer
posted
15 years ago

Mon, Jul 28, 2008 1:37 PM

Yes.

If you refrain from permitting access to mail in your interface ACL, and only permit it in the auth-proxy ACL (downloaded upon successful authentication), then access to mail becomes part of the security policy controlled via auth-proxy.

Best Regards, News Reader

- A
- Andre Wisniewski
  
  Contact options for registered users
Vote on answer
posted
15 years ago

Tue, Jul 29, 2008 5:27 PM

Quite simple. That helped. Thanks!

- N
- News Reader
  
  Contact options for registered users
Vote on answer
posted
15 years ago

Tue, Jul 29, 2008 6:55 PM

Your welcome.

Although you've not indicated a need, I thought I would provide the following observation that may prove beneficial some day:

When configuring auth-proxy ACLs in Cisco Secure ACS, I found it necessary to use the keyword "any" as the source in an auth-proxy ACE. The resulting temporary ACE added to the interface ACL specified the authenticated IP address as the source.

When I tried configuring the auth-proxy ACE with a specific host address as the source, the ACE was passed to the AAA Client, but it was not added to the interface ACL, and therefore policy was not successfully implemented.

Best Regards, News Reader

- N
- News Reader
  
  Contact options for registered users
Vote on answer
posted
15 years ago

Tue, Jul 29, 2008 6:57 PM

You're welcome.

Although you've not indicated a need, I thought I would provide the following observation that may prove beneficial some day:

When configuring auth-proxy ACLs in Cisco Secure ACS, I found it necessary to use the keyword "any" as the source in an auth-proxy ACE. The resulting temporary ACE added to the interface ACL specified the authenticated IP address as the source.

When I tried configuring the auth-proxy ACE with a specific host address as the source, the ACE was passed to the AAA Client, but it was not added to the interface ACL, and therefore policy was not successfully implemented.

Best Regards, News Reader

- A
- Andre Wisniewski
  
  Contact options for registered users
Vote on answer
posted
15 years ago

Fri, Aug 1, 2008 5:56 AM

I'm using neither "any" nor a specific host. I added two networks to my auth-proxy ACL.

permit ip 192.168.250.0 0.0.0.255 any permit ip 192.168.251.0 0.0.0.255 any

All worked fine.

Thanks for your advice

Cheers, Andre

- N
- News Reader
  
  Contact options for registered users
Vote on answer
posted
15 years ago

Fri, Aug 1, 2008 4:49 PM

Why would you be doing that?

Auth-proxy is applied on the ingress interface. The ACEs downloaded from the AAA server are installed above the ACEs on the inbound ACL of the near side (ingress) interface, and the outbound ACL of the far side (egress) interface(s).

The intent is to authorize specific "destination" addresses and protocols for the authenticated user, not to open a flood gate for whole "source" networks to any destination.

Perhaps you should examine your interface ACLs following authentication, and verify that the temporary ACEs reflect the policy intended.

Best Regards, News Reader