What the User Sees

^Authentication Proxy Login Page - Netscape

File Edit View Go Communicator Help r ' ^ Ä £l * * II

Username: smith

Password: 2bon2b

p I I Document: Dor

^Success Page - Netscape

Authentication Successful !

©2000, Cisco Systems,

When a user initiates an HTTP session through the firewall, it triggers the authentication proxy. If a valid authentication entry exists for the user, the session is allowed and no further intervention is required by the authentication proxy. If no entry exists, the authentication proxy responds to the HTTP connection request by prompting the user for a username and password, as shown above.

Proxy intercepts client's HTTP request before any ACLs and

Proxy authenticates with AAA server, downloads authorization profile, and creates dynamic ACLs.

(2) Proxy replies to the client via HTML and gets the username and passwor

Proxy intercepts client's HTTP request before any ACLs and

Proxy authenticates with AAA server, downloads authorization profile, and creates dynamic ACLs.

(2) Proxy replies to the client via HTML and gets the username and passwor server

Cisco Secure ACS

Proxy refreshes client's browser with saved target URL.

Cisco Secure ACS

When a user initiates an HTTP session through the firewall, it triggers the authentication proxy. The authentication proxy first checks to see if the user has been authenticated. If a valid authentication entry exists for the user, the session is allowed and no further intervention is required by the authentication proxy. If no entry exists, the authentication proxy responds to the HTTP connection request by prompting the user for a username and password.

Users must successfully authenticate with the authentication server by entering a valid username and password. If the authentication succeeds, the user's authorization profile is retrieved from the authentication, authorization, and accounting (AAA) server. The authentication proxy uses the information in the this profile to create dynamic access control entries (ACEs) and add them to the inbound (input) access control list (ACL) of an input interface, and to the outbound (output) ACL of an output interface if an output ACL exists at the interface. By doing this, the firewall allows authenticated users access to the network as permitted by the authorization profile. For example, a user can initiate a Telnet connection through the firewall if Telnet is permitted in the user's profile.

If the authentication fails, the authentication proxy reports the failure to the user, and prompts the user with multiple retries. If the user fails to authenticate after five attempts, the user must wait two minutes and initiate another HTTP session to trigger the authentication proxy.

The authentication proxy sets up an inactivity (idle) timer for each user profile. As long as there is activity through the firewall, new traffic initiated from the user's host does not trigger the authentication proxy, and all authorized user traffic is permitted access through the firewall.

If the idle timer expires, the authentication proxy removes the user's profile information and dynamic access list entries. When this happens, traffic from the client host is blocked. The user must initiate another HTTP connection to trigger the authentication proxy.

Supported AAA Servers J

s

TACACS+

RADIUS

2000, Cisco Systems, Inc. WWW.CiSC

20.C0m CSPFA 1.01—9-7

The Cisco IOS Firewall authentication proxy supports the following AAA protocols and servers:

■ Terminal Access Controller Access Control System Plus (TACACS+)

- Cisco Secure Asynchronous Communications Server (CSACS) for Windows NT (CSACS-NT)

- Cisco Secure ACS for UNIX (CSACS-UNIX)

- TACACS+ Freeware

■ Remote Authentication Dial-In User Service (RADIUS)

- Cisco Secure ACS for Windows NT (CSACS-NT)

- Cisco Secure ACS for UNIX (CSACS-UNIX)

- Livingston

- Ascend

0 0

Post a comment