Scenario 1: IOS Auth-Proxy with Downloadable Access Control Entries
This is completely analogous to what was done for ASA in Scenario 2 of the “ASA User-Level Control with Cut-Through Proxy” section.
Example 4 illustrates Auth-proxy performing the interception and interacting with the RADIUS server, whereas Example 5 shows the authentication and authorization results.
Example 3. Defining Individual ACEs on CS-ACS for IOS Auth-Proxy
ACS/Group Settings : GROUP1 [009\001] cisco-av-pair priv-lvl=15 proxyacl#1=permit tcp any any eq 22 proxyacl#2=permit tcp any any eq 23
|
Example 4. Telnet Session Intercepted by Auth-Proxy
! Telnet Session is intercepted by Auth-Proxy process (before reaching interface ACL) AUTH-PROXY creates info: cliaddr - 172.21.21.101, cliport - 1562 seraddr - 172.16.201.2, serport - 23 ip-srcaddr 172.21.21.101 pak-srcaddr 0.0.0.0
! NAS sends request to CS-ACS and receives individual ACEs (proxyacl)
RADIUS(0000000C): Send Access-Request to 172.21.21.250:1812 id 1645/12, len 104 RADIUS: authenticator 73 DC D7 7B 91 B4 61 38 - 4E 65 CB A5 B3 4F AD 9D RADIUS: User-Name [1] 7 "user1" [output suppressed] RADIUS: Received from id 1645/12 172.21.21.250:1812, Access-Accept, len 148 RADIUS: authenticator ED 65 FB F6 64 B9 33 6D - A3 5E B8 5F 14 36 D4 21 RADIUS: Vendor, Cisco [26] 19 RADIUS: Cisco AVpair [1] 13 "priv-lvl=15" RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "proxyacl#1=permit tcp any any eq 22" RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "proxyacl#2=permit tcp any any eq 23" [output suppressed]
|
Example 5. Verifying Authenticated Users and Downloaded ACEs
DMZ# show ip auth-proxy cache Authentication Proxy Cache Client Name user1, Client IP 172.21.21.101, Port 1562, timeout 60, Time Remaining 60, state INTERCEPT ! ! Details about the current Auth-Proxy session
DMZ# show epm session ip 172.21.21.101 Admission feature : Authproxy AAA Policies : Proxy ACL : permit tcp any any eq 22 Proxy ACL : permit tcp any any eq 23
! ! Viewing Dynamic Entries (for host 172.21.21.101) added to the interface ACL
DMZ# show access-list Extended IP access list 100 permit tcp host 172.21.21.101 any eq 22 (18 matches) permit tcp host 172.21.21.101 any eq telnet (70 matches) 10 permit udp host 172.21.21.250 eq 1812 host 172.21.21.1 (1 match) 20 permit udp host 172.21.21.250 eq 1813 host 172.21.21.1 (1 match) 30 permit tcp any 172.16.201.0 0.0.0.255 eq telnet
|