Proxy Auth for IOS I think is so different than implementing it on the ASA. I hope at some point the implementation method will become somewhat the same in the future. I learned a few lessons though that Ill cover in this post. When configuring proxy auth on IOS the first step is to define the matching access-list for traffic you want to trigger authentication. This is optional but I find it very useful. My match ACL looks a bit like this:

fw1# sh access-list 161
Extended IP access list 161
10 permit tcp any host 64.233.167.99 eq www (Google)
20 permit tcp any host 24.234.58.5 eq www (Securityie.com)
30 permit tcp any host 24.234.58.5 eq 443 (Securityie.com)

The traffic must be going through the router and not terminating at the router. This is important. When I first tried I was trying match web traffic going to the router and simply could not get proxy auth to work correctly.

Next is to define the proxy auth instance. In this step you configure a name and you can also define a few attributes such as inactivity timers and absolute timeouts.

ip auth-proxy name admin_auth http inactivity-time 60 list 161

In the above code you’ll see that I named the proxy auth instance “admin_auth” and I am using http for the interception method. I have a inactivity time set to 60 and my match acl is also defined “list 161″.

Using http as the interception method means that http or https can be used. The actual method is defined by the way you configure the http server on the router.

Note: If your match acl matches only port 80 traffic and you configured your IOS router service for https you will not be able to intercept the http traffic. It is best to either configure the match acl and the web server for the same type of traffic (http or https).

Now configure the http server on the IOS router. This is quick and easy:

ip http server
ip http authentication aaa

You can easily enable the https service by doing “no ip http server” and entering “ip http secure-server”.

Next you need to configure proxy auth authorization.
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization auth-proxy default group tacacs+ local

As you can see I already have authentication define for tacacs. You will also need to make sure you configure you ACS server appropriately. This is the part I really dont care for. I think the interface could be a bit more intuitive but as the great Bubba the Love Sponge once said “Learn how to work kid”

For the ACS server you will need to add the auth-proxy service to the tacacs service interface configuration.

1. Click on Interface Configuration then TACACS+ (Cisco IOS).

2. Scroll down to New Services. Check the check box for Group and in the service form field enter auth-proxy. Click Submit.

3. Select the group you would like to apply proxy auth to (Group Setup). In my case its group 5. Scroll down until you see the new service you added (auth-proxy).

4. Click the auth-proxy and custom attributes check box.

5. In the attributes field enter the access-list entries you want applied when the user authenticates successfully. In this example I am allowing all tcp, udp and icmp access.

priv-lvl=15
proxyacl#1=permit icmp any any
proxyacl#2=permit tcp any any
proxyacl#3=permit udp any any

You will also need to assign privilege level 15 for the acl’s to be applied appropriately. Save your changes and exit.

Now the last step is to apply proxy auth to the interface that faces the user you wish to authenticate.

interface Dot11Radio0
ip access-group acl_wireless in
ip auth-proxy admin_auth

Now that I know my match acl needs to match the IOS http services method (http or https) I’ll clean up the ACL to only match http traffic. For simplicity I also took out the google match and chose to only trigger authentication for traffic going to securityie.com

fw1#sh access-list 161
Extended IP access list 161
20 permit tcp any host 24.234.58.5 eq www
fw1#


Here is a debug of the authentication and authorization process:

fw1#sh debug
General OS:
TACACS+ authentication debugging is on
TACACS+ authorization debugging is on
AAA Authentication debugging is on
AAA Authorization debugging is on
Auth-Proxy:
AUTH-PROXY Detailed debugging is on
*Jul 6 15:54:35.326: AAA/AUTHEN/START (1632827464): port='Dot11Radio0' list='default' action=LOGIN service=LOGIN
*Jul 6 15:54:35.326: AAA/AUTHEN/START (1632827464): found list default
*Jul 6 15:54:35.326: AAA/AUTHEN/START (1632827464): Method=tacacs+ (tacacs+)
*Jul 6 15:54:35.326: TAC+: send AUTHEN/START packet ver=192 id=1632827464
*Jul 6 15:54:35.530: TAC+: ver=192 id=1632827464 received AUTHEN status = GETUSER
*Jul 6 15:54:35.530: AAA/AUTHEN(1632827464): Status=GETUSER
*Jul 6 15:54:35.530: AAA/AUTHEN/CONT (1632827464): continue_login (user='(undef)')
*Jul 6 15:54:35.530: AAA/AUTHEN(1632827464): Status=GETUSER
*Jul 6 15:54:35.530: AAA/AUTHEN(1632827464): Method=tacacs+ (tacacs+)
*Jul 6 15:54:35.530: TAC+: send AUTHEN/CONT packet id=1632827464
*Jul 6 15:54:35.730: TAC+: ver=192 id=1632827464 received AUTHEN status = GETPASS
*Jul 6 15:54:35.730: AAA/AUTHEN(1632827464): Status=GETPASS
*Jul 6 15:54:35.730: AAA/AUTHEN/CONT (1632827464): continue_login (user='joe')
*Jul 6 15:54:35.730: AAA/AUTHEN(1632827464): Status=GETPASS
*Jul 6 15:54:35.730: AAA/AUTHEN(1632827464): Method=tacacs+ (tacacs+)
*Jul 6 15:54:35.730: TAC+: send AUTHEN/CONT packet id=1632827464
*Jul 6 15:54:35.930: TAC+: ver=192 id=1632827464 received AUTHEN status = PASS
*Jul 6 15:54:35.930: AAA/AUTHEN(1632827464): Status=PASS
*Jul 6 15:54:35.930: Dot11Radio0 AAA/AUTHOR/HTTP(2518413738): Port='Dot11Radio0' list='default' service=AUTH-PROXY
*Jul 6 15:54:35.930: AAA/AUTHOR/HTTP: Dot11Radio0(2518413738) user='joe'
*Jul 6 15:54:35.930: Dot11Radio0 AAA/AUTHOR/HTTP(2518413738): send AV service=auth-proxy
*Jul 6 15:54:35.930: Dot11Radio0 AAA/AUTHOR/HTTP(2518413738): send AV cmd*
*Jul 6 15:54:35.930: Dot11Radio0 AAA/AUTHOR/HTTP(2518413738): found list "default"
*Jul 6 15:54:35.930: Dot11Radio0 AAA/AUTHOR/HTTP(2518413738): Method=tacacs+ (tacacs+)
*Jul 6 15:54:35.930: AAA/AUTHOR/TAC+: (2518413738): user=joe
*Jul 6 15:54:35.930: AAA/AUTHOR/TAC+: (2518413738): send AV service=auth-proxy
*Jul 6 15:54:35.930: AAA/AUTHOR/TAC+: (2518413738): send AV cmd*
*Jul 6 15:54:36.054: AUTH-PROXY:proto_flag=4, dstport_index=2
*Jul 6 15:54:36.054: AUTH-PROXY:Protocol not configured on if_input
*Jul 6 15:54:36.054: AUTH-PROXY:proto_flag=4, dstport_index=2
*Jul 6 15:54:36.054: AUTH-PROXY:Protocol not configured on if_input
*Jul 6 15:54:36.130: TAC+: (-1776553558): received author response status = PASS_ADD
*Jul 6 15:54:36.130: AAA/AUTHOR (2518413738): Post authorization status = PASS_ADD
*Jul 6 15:54:36.130: AUTH-PROXY: Adding ACL data for proxy acl