|
0:00:13
|
In our next section we are going to talk about the ios authentication proxy feature
|
|
0:00:18
|
that is a scalable version of the dynamic access list or the lock and key
|
|
0:00:25
|
now the dynamic access list we previously talked about these when we were
|
|
0:00:29
|
talking about the other types of access list that
|
|
0:00:32
|
are on ios
|
|
0:00:33
|
and the key with the dynamic access list or the lock and key
|
|
0:00:36
|
is that the user first authenticates to the router
|
|
0:00:40
|
using telnet
|
|
0:00:42
|
and once the authentication is occurred the dynamic access list entires are activated
|
|
0:00:47
|
by the user entering the access dash enable command into the exact process
|
|
0:00:53
|
whether this is happening automatically through an auto command
|
|
0:00:57
|
or whether the user is actually logging in and manually issuing the command
|
|
0:01:01
|
the idea is that once access enable is issued
|
|
0:01:03
|
the dynamic access list entries are going to be opened
|
|
0:01:07
|
now the disadvantage of using dynamic access list is that we cannot control them on a per user basis
|
|
0:01:14
|
where with dynamic acl we cannot say that user 1
|
|
0:01:17
|
when they authenticate they are going to be assigned one access list
|
|
0:01:20
|
versus user no. 2 authenticating and then assigning a separate access list
|
|
0:01:26
|
so its good for a very small implementation where the requirements are not very dynamic
|
|
0:01:30
|
but from a large scale implementation dynamic access list are not very feasible
|
|
0:01:35
|
now the solution for this is feature that is known as auth proxy or authentication proxy
|
|
0:01:41
|
that offers some scalable version of this
|
|
0:01:44
|
by integration with aaa
|
|
0:01:46
|
and downloading access list on a per user basis
|
|
0:01:50
|
either from the radio server or from the tacacs server
|
|
0:01:56
|
now the idea behind authentication proxy
|
|
0:01:59
|
is that we have some host that are behind
|
|
0:02:01
|
a ios router that is running the feature
|
|
0:02:04
|
where we have the inside network
|
|
0:02:07
|
behind router 1 and we have the outside network
|
|
0:02:10
|
on the opposite side
|
|
0:02:12
|
and the idea is that this
|
|
0:02:14
|
windows machine that is on vlan 118
|
|
0:02:17
|
as it is sending it out to the rest of the network
|
|
0:02:20
|
we want to block the traffic
|
|
0:02:22
|
as it is being received in by router 1
|
|
0:02:25
|
unless the authentication occurs
|
|
0:02:28
|
we can then download a specific access list
|
|
0:02:31
|
two router
|
|
0:02:35
|
and then are going authorised to use
|
|
0:02:42
|
now in order to do this
|
|
0:02:44
|
the first thing we need to do is to deny all other traffic
|
|
0:02:48
|
with a static access list
|
|
0:02:51
|
so for this particular design if we were to do this on router 1
|
|
0:02:55
|
first thing we will do we will configure and inbound acl
|
|
0:02:59
|
that is essentially dropping everything
|
|
0:03:01
|
that we do not need a static exception for
|
|
0:03:04
|
now if we were running different control plan protocols like ospf routing or eigrp routing
|
|
0:03:09
|
or some sort of ipsec we would need to make a exception for that
|
|
0:03:13
|
but generally we want to deny anything
|
|
0:03:16
|
that we want to be
|
|
0:03:17
|
caught by the authentication proxy
|
|
0:03:21
|
next the user is going to trigger an authentication request by opening up the web browser
|
|
0:03:27
|
and the log in request is going to be forwarded to the aaa server
|
|
0:03:31
|
either through radius or either through tacacs
|
|
0:03:35
|
now the aaa server is going to be checking for the user's authentication
|
|
0:03:38
|
and they are also going to be checking for the authorisation
|
|
0:03:41
|
of the off-proxy servers
|
|
0:03:45
|
if the off-proxy servers succeeds so the authentication is successful and they are authorised to use off-proxy
|
|
0:03:52
|
the aaa server is then going to send the per user access list down to the router
|
|
0:03:57
|
and the router is going to apply this to the individual users session
|
|
0:04:02
|
so as compared to the dynamic access list
|
|
0:04:05
|
the idea is that we can control the access list not only on a per user basis
|
|
0:04:11
|
but its a centralised service
|
|
0:04:13
|
where there were multiple routers in the topology
|
|
0:04:16
|
it doesn't really matter where the user is coming from
|
|
0:04:19
|
because the authentication information and the access list information
|
|
0:04:22
|
is stored in the central service which is the acs server
|
|
0:04:28
|
now the configuration for this
|
|
0:04:30
|
is fairly straight forward its one of those things that you pretty much could follow along
|
|
0:04:34
|
the documentation examples which you will be able to piece it together
|
|
0:04:38
|
so if we were to go to the regular ios documentation
|
|
0:04:41
|
this is going to down under security
|
|
0:04:44
|
and under securing the user services
|
|
0:04:48
|
then under aaa
|
|
0:04:50
|
its located under authentication proxy
|
|
0:04:54
|
now you will see that there are some advanced configuration of this
|
|
0:04:57
|
like you can configure it to do authentication via telnet or ftp
|
|
0:05:02
|
as supposed to using the web interface
|
|
0:05:05
|
we can also configure it with transparent bridging
|
|
0:05:09
|
so similar to the transparent firewall or the transparent ips
|
|
0:05:13
|
that we don't necessary have to have the router segments in two separate ip networks
|
|
0:05:18
|
but for the most basic configuration
|
|
0:05:21
|
just going to be the first document is configuring the authentication proxy
|
|
0:05:27
|
now from here where you generally want to look is this section that says how to configure the feature
|
|
0:05:32
|
its going to give us the step by step task list
|
|
0:05:35
|
of exactly what we need to do
|
|
0:05:37
|
in order to get the feature working
|
|
0:05:40
|
where we need to configure aaa
|
|
0:05:43
|
tell the web service on the router
|
|
0:05:46
|
to use authentication proxy
|
|
0:05:49
|
and then configure the authentication proxy acls
|
|
0:05:52
|
and then apply them to the interfacing
|
|
0:05:55
|
so from the router there is not much syntax that is involved with
|
|
0:05:59
|
we turn aaa on
|
|
0:06:01
|
we say for default
|
|
0:06:04
|
log in authentication
|
|
0:06:06
|
and this is one short comings of the feature
|
|
0:06:10
|
that there is not a particular method that corressponds to auth proxy
|
|
0:06:13
|
so we need to use the default login method
|
|
0:06:18
|
this means that for lines
|
|
0:06:22
|
and must we have a more method less defined
|
|
0:06:25
|
its also going to be sharing whatever method that we define for auth proxy
|
|
0:06:31
|
we defined the method this is go to radius or tacacs
|
|
0:06:35
|
we specify aaa authorisation is for auth proxy
|
|
0:06:40
|
then send this either to our
|
|
0:06:42
|
radius server or tacacs server
|
|
0:06:45
|
configure the tacacs or radius
|
|
0:06:48
|
attributes so the host address the key for the encryption
|
|
0:06:51
|
just like we have done before upto this point with aaa
|
|
0:07:05
|
then our next portion is here what is the most important
|
|
0:07:09
|
that here is an example of the syntax that you would use on the radius server
|
|
0:07:14
|
or the tacacs server
|
|
0:07:16
|
in order to actually configure the access list that we are going to download
|
|
0:07:22
|
now again you could use both radius and tacacs
|
|
0:07:24
|
there is going to be some minor syntax differences between the two
|
|
0:07:28
|
and we look at the configuration of it both ways
|
|
0:07:31
|
but for tacacs
|
|
0:07:32
|
one of the first things we need to do is under the tacacs interface configuration
|
|
0:07:37
|
we would need to define a new service
|
|
0:07:40
|
that is called auth-proxy
|
|
0:07:44
|
then for the particular user or the group that we are tying to assign the access list
|
|
0:07:50
|
we give them privilege level 15
|
|
0:07:52
|
we have to say priv-lvl=15
|
|
0:07:57
|
we say proxy acl
|
|
0:07:58
|
pound sign the number equals
|
|
0:08:02
|
then the individual access list that we are trying to define
|
|
0:08:06
|
so these nos. 123456 these are the acl nos.
|
|
0:08:10
|
and this is then what is then downloaded to the router
|
|
0:08:13
|
once the user actually performs the authentication
|
|
0:08:18
|
then in addition to the aaa configuration
|
|
0:08:21
|
we then need to define what is going to trigger
|
|
0:08:25
|
the
|
|
0:08:26
|
authentication proxy so we need to turn the web service on
|
|
0:08:31
|
it also shows you need limit the access to the web server interface itself
|
|
0:08:35
|
you could do this you don't technically have to
|
|
0:08:37
|
that's one of the optional features
|
|
0:08:39
|
then we are going to define the
|
|
0:08:42
|
auth-proxy process name
|
|
0:08:46
|
http and then the access list
|
|
0:08:49
|
that is going to control what is triggering the authentication
|
|
0:08:54
|
so it could be packets that tis going to one specific destination
|
|
0:08:58
|
could it be all packets to port 80
|
|
0:09:00
|
then we are going to apply it on the interface
|
|
0:09:02
|
that the traffic transmitting through
|
|
0:09:05
|
its going to trigger the request
|
|
0:09:09
|
so essentially in our particular case
|
|
0:09:11
|
it means that the proxy
|
|
0:09:14
|
authentication proxy configuration is going be on 0/0
|
|
0:09:18
|
then is anything goes in this direction
|
|
0:09:21
|
its going to trigger the web
|
|
0:09:23
|
interface on router 1 to return to log in prompt to the pc
|
|
0:09:27
|
then router 1 is going to forward this to the acs server
|
|
0:09:31
|
the acs server is then going to download the access list
|
|
0:09:34
|
and router 1 is automatically going to apply it on the interface
|
|
0:09:41
|
so next look at the configuration this on
|
|
0:09:44
|
router 1, where the first thing we need to do is configure our basic
|
|
0:09:48
|
communication with the
|
|
0:09:50
|
the acs server the aaa server
|
|
0:09:53
|
so just our previous configurations first thing we do is to turn the aaa on so aaa new
|
|
0:09:58
|
aaa new model
|
|
0:10:01
|
in this I am going to run radius
|
|
0:10:03
|
so we will say
|
|
0:10:05
|
the radius server host address
|
|
0:10:07
|
is 10.0.0.100
|
|
0:10:10
|
and the key is cisco
|
|
0:10:13
|
key is going to be whatever I also configure on the
|
|
0:10:15
|
the aaa server
|
|
0:10:21
|
next thing I am going to define the aaa method list
|
|
0:10:25
|
so for default log in authentication
|
|
0:10:28
|
aaa authentication of logins
|
|
0:10:31
|
the default group is going to go to radius
|
|
0:10:34
|
to the group radius
|
|
0:10:36
|
now again this automatically implies
|
|
0:10:40
|
is that as soon as I am applied in default list
|
|
0:10:43
|
it is now going to apply to everything
|
|
0:10:46
|
if someone goes to telnet into router 1
|
|
0:10:49
|
we telnet to 200.0.0.1
|
|
0:10:56
|
this user name prompt is now going to be send to the radius server
|
|
0:11:01
|
so the radius server didn't have credentials for router 1 so that's going to be a potential problem
|
|
0:11:07
|
what I may want to do additionally is to go to router 1
|
|
0:11:10
|
and then define additional main method list
|
|
0:11:13
|
that I would apply on to the console or I would apply on to vty line
|
|
0:11:18
|
so I could say something like aaa authentication
|
|
0:11:22
|
none is
|
|
0:11:25
|
we are actually log in aaa authentication, aaa authentication login none
|
|
0:11:29
|
is default
|
|
0:11:32
|
I cannot say none I need to say
|
|
0:11:34
|
lets say no auth
|
|
0:11:37
|
no auth is none
|
|
0:11:40
|
then under the vty line I could say
|
|
0:11:43
|
log in authentication
|
|
0:11:47
|
log in authentication is no underscore
|
|
0:11:50
|
auth and the same thing under the console
|
|
0:11:54
|
so now when any user telnets in or user connects to the console
|
|
0:11:58
|
it could just automatically connect us to the exact process without having to log in
|
|
0:12:04
|
so again the key point is just that based on the auth proxy configuration
|
|
0:12:08
|
you want to make sure that you don't lock yourself on the command line
|
|
0:12:11
|
because we are configuring the default login group
|
|
0:12:14
|
not a specific name list is then applied to the auth proxy process
|
|
0:12:23
|
next thing we need to configure the authorisation
|
|
0:12:26
|
so aaa authorisation
|
|
0:12:28
|
this is specifically for the authentication proxy service
|
|
0:12:33
|
authorisation is for auth proxy
|
|
0:12:36
|
we are going to group radius in this case
|
|
0:12:40
|
again we will come back and look at example with tacacs
|
|
0:12:43
|
then we need to turn the web service on so ip http server
|
|
0:12:48
|
this is what us the log in prompt
|
|
0:12:51
|
and I need to tell router 1 to forward the log in requests from the web interface to the aaa server
|
|
0:12:57
|
so ip http
|
|
0:13:00
|
the authentication type is going to aaa
|
|
0:13:08
|
so next we would go to the
|
|
0:13:11
|
lets say we go to the test pc
|
|
0:13:20
|
and we open up a web browsing session
|
|
0:13:26
|
that goes to router 1
|
|
0:13:28
|
200.0.0.1
|
|
0:13:31
|
we could see now router 1 is running the web process
|
|
0:13:33
|
it should then be forwarding this log in
|
|
0:13:36
|
and password information to the aaa server
|
|
0:13:40
|
if we were to go to acs
|
|
0:13:43
|
configure user lets say the user is called proxy
|
|
0:13:50
|
then I will simply define a password, say password is cisco
|
|
0:13:57
|
if I were to then log in as proxy
|
|
0:14:04
|
the authentication should succeed here
|
|
0:14:07
|
the reason that the log in box is returned here again
|
|
0:14:11
|
is that I didn't configure privilege level 15 authorisation on to the user
|
|
0:14:16
|
with is needed for the level 15 view of the router
|
|
0:14:21
|
but I were to go to router 1 and look at the debug AAA authentication
|
|
0:14:26
|
once I enter any of the credentials in here
|
|
0:14:29
|
we would see it is forwarded onto the radius server
|
|
0:14:35
|
so its picking the default method list it should then forwarding on to the radius
|
|
0:14:42
|
on again we could use the same test command and we did before and say test
|
|
0:14:47
|
AAA for the group radius
|
|
0:14:52
|
where my user is proxy password is cisco
|
|
0:15:00
|
so user was successfully authenticated so we atleast know router 1 has connectivity to the server
|
|
0:15:08
|
next thing we need to configure is the access list
|
|
0:15:11
|
to block the traffic that is normally coming in that interface
|
|
0:15:16
|
so what we want to have is that when the pc sends to this direction
|
|
0:15:20
|
it normally gets stopped on router 1 interface
|
|
0:15:24
|
but then if it is a web request
|
|
0:15:27
|
the port 80 is going to redirected to
|
|
0:15:30
|
acs or authentication
|
|
0:15:32
|
and then download the acl
|
|
0:15:36
|
but the key is if we are going to filtering the traffic out
|
|
0:15:38
|
we need to make sure that router 1 has a access list that is stopping the other flows
|
|
0:15:43
|
so we would have some sort of
|
|
0:15:44
|
access list configuration lets say access list
|
|
0:15:49
|
ip access list extended
|
|
0:15:51
|
inside in
|
|
0:15:53
|
that simply say deny ip any any and log this traffic
|
|
0:15:59
|
then on that interface 0/0
|
|
0:16:02
|
we will say ip access group inside in inbound
|
|
0:16:08
|
so now from the test pc if we were to
|
|
0:16:11
|
to generate more traffic
|
|
0:16:13
|
say we try to log in again
|
|
0:16:15
|
or may be we try to do
|
|
0:16:18
|
a ping to router 2
|
|
0:16:21
|
we should see when these packets get to router 1 interface
|
|
0:16:24
|
they are going to be denied by that access list
|
|
0:16:29
|
so the final step then is to configure or the final step in the ios
|
|
0:16:34
|
is to configure router 1 to intercept the web request
|
|
0:16:37
|
and then forward these to the acs server
|
|
0:16:41
|
so need an access list to trigger the process first
|
|
0:16:46
|
we call this access list
|
|
0:16:49
|
the trigger acl
|
|
0:16:54
|
that says for anything that is tcp port a
|
|
0:16:58
|
so any web traffic thats going to trigger the authentication proxy
|
|
0:17:01
|
then we need to define the authentication proxy and apply it on the interface
|
|
0:17:06
|
and we do this with ip auth proxy
|
|
0:17:09
|
we will see some other options here like what is the timers
|
|
0:17:16
|
what is the inactivity timer we could also a service policy under this
|
|
0:17:22
|
in this case I just to define the ip auth proxy name
|
|
0:17:26
|
this is the basically the rule thats defining what is going to trigger
|
|
0:17:31
|
authentication proxy so this our auth proxy rule
|
|
0:17:37
|
that is looking for web traffic
|
|
0:17:40
|
that is matched by our list that was the trigger acl
|
|
0:17:46
|
so now on the interface 0/0 we say ip auth-proxy
|
|
0:17:52
|
the name this is the auth proxy rule
|
|
0:17:56
|
and there is no direction for so it is automatically to be by direction
|
|
0:18:02
|
so now router 1 should be staged to intercept the traffic and then send it to the acs server
|
|
0:18:08
|
we should be able to tell this on the test pc
|
|
0:18:11
|
if we were to now
|
|
0:18:13
|
go to the web browser
|
|
0:18:16
|
and basically send any traffic
|
|
0:18:18
|
through router 1
|
|
0:18:21
|
so lets say we do a web browsing session to
|
|
0:18:24
|
router 2's interface 200.0.0.2
|
|
0:18:29
|
if were are returned to the auth proxy log in page
|
|
0:18:34
|
and notice this difference on the normal web interface login
|
|
0:18:39
|
this user name and password combination
|
|
0:18:41
|
then should be forwarded to the aaa server
|
|
0:18:47
|
now at point of the AAA server I haven't defined the access list
|
|
0:18:52
|
so this is other step that we need to do
|
|
0:18:56
|
now it does show here the documentation what the syntax is for
|
|
0:19:00
|
the tacacs configuration
|
|
0:19:03
|
I am not 100% sure if it shows for the radius
|
|
0:19:06
|
so lets search here for
|
|
0:19:11
|
radius lets see if it shows here, it is going to be pretty similar
|
|
0:19:18
|
and it does, its pretty similar in the syntax
|
|
0:19:22
|
but here with the tacacs configuration we have the service that is the auth-proxy
|
|
0:19:26
|
for radius we need to say
|
|
0:19:28
|
auth-proxy call in
|
|
0:19:32
|
and then the same syntax that is listed out here
|
|
0:19:36
|
so this here this is going to go in the cisco avpair
|
|
0:19:42
|
so lets for example we want to
|
|
0:19:44
|
basically permit all
|
|
0:19:46
|
traffic once the authentication occurs
|
|
0:19:55
|
so lets edit the other text out
|
|
0:20:05
|
so we have auth-proxy:priv-lvl=15
|
|
0:20:10
|
the proxy acl pound
|
|
0:20:12
|
the line no. of the access list
|
|
0:20:14
|
and then whatever we want to permit
|
|
0:20:16
|
so lets simply say permit tcp any any
|
|
0:20:20
|
permit icmp any any
|
|
0:20:23
|
and then permit udp any any
|
|
0:20:27
|
and offcourse we could be specific if we want them to
|
|
0:20:29
|
to limit the traffic to last in this
|
|
0:20:34
|
but essentially we are saying that once authentication occurs
|
|
0:20:36
|
the end host is able to do whatever we want
|
|
0:20:40
|
now from the acs server configuration
|
|
0:20:43
|
this is going to be under the user or under the group
|
|
0:20:47
|
so I have the user here that is proxy
|
|
0:20:52
|
then all the way down to the bottom under the cisco-av-pair
|
|
0:20:56
|
thats what the syntax is going to go
|
|
0:20:59
|
so it knows because its pre-fixed by auth-proxy colon
|
|
0:21:04
|
it knows that these entries are going to be specific for that service
|
|
0:21:09
|
now if we look at router 1 we can say
|
|
0:21:11
|
bebug aaa authentication
|
|
0:21:16
|
we would also bebug ip auth-proxy
|
|
0:21:21
|
and lets say debug ip auth-proxy
|
|
0:21:26
|
lets say detail
|
|
0:21:30
|
and debug ip http
|
|
0:21:33
|
authentication
|
|
0:21:37
|
next if we go back to the test pc
|
|
0:21:40
|
and lets refresh this session
|
|
0:21:42
|
we should see now router 1
|
|
0:21:44
|
is triggering the authentication proxy
|
|
0:21:48
|
says that this host
|
|
0:21:50
|
send traffic to 200.0.0.2 thats triggering the authentication proxy
|
|
0:21:54
|
if I now log in as proxy
|
|
0:21:58
|
which was the user name
|
|
0:22:04
|
says authentication is successful
|
|
0:22:07
|
we should then see the debug from radius
|
|
0:22:11
|
that we send the
|
|
0:22:13
|
the user name and password, so the user was proxy
|
|
0:22:19
|
and I wasn't debugging
|
|
0:22:24
|
radius
|
|
0:22:27
|
authorisation
|
|
0:22:29
|
radius
|
|
0:22:32
|
radius authentication, lets try this again lets say clear
|
|
0:22:36
|
clear ip auth-proxy
|
|
0:22:38
|
cache thats going to delete the active sessions *
|
|
0:22:42
|
so lets try this again if we refresh
|
|
0:22:45
|
then log in as proxy
|
|
0:22:48
|
password cisco, and before actually log in lets do this lets ping router 2 again
|
|
0:22:53
|
we should see right now that the packets are being dropped
|
|
0:22:59
|
so things are timing out but then when I log in
|
|
0:23:02
|
authentication is successful, if the access list was properly downloaded
|
|
0:23:07
|
we should here shortly
|
|
0:23:14
|
now the things are successful
|
|
0:23:17
|
specifically if we look at router 1
|
|
0:23:19
|
what we should see that in the cisco av pair inside the radius debug
|
|
0:23:25
|
that it asks for the service auth-proxy
|
|
0:23:30
|
that the aaa server we can see is responding back here
|
|
0:23:33
|
with saying that
|
|
0:23:35
|
you have privilege level 15 which must be required internally to add the access list entries
|
|
0:23:41
|
but then its saying these are the acl entries
|
|
0:23:45
|
that should be added, if we now look at the
|
|
0:23:49
|
show access lists
|
|
0:23:53
|
notice that on the acl inside in
|
|
0:23:57
|
which previous I only had to deny, ip any any log
|
|
0:24:01
|
lines, its automatically adding these 3 new entries
|
|
0:24:06
|
that are specific to the host that did the authentication
|
|
0:24:12
|
but again the key about this is that based on how you authenticate
|
|
0:24:16
|
that is going to control the individual acl that you can use
|
|
0:24:22
|
we can have different groups with different per user access list or we can have different users, with different per user access list
|
|
0:24:29
|
so its more scalable then the lock and key dynamic access list solution
|
|
0:24:35
|
so if we look at the final configuration on router 1
|
|
0:24:38
|
there is really not that much we need to do
|
|
0:24:41
|
that's related to the router, the big thing that can be troublesome with this
|
|
0:24:46
|
is to make sure that you know the exact syntax for the radius server and for the tacacs server
|
|
0:24:54
|
so on router 1 lets say show run include
|
|
0:24:58
|
aaa or radius
|
|
0:25:01
|
or auth
|
|
0:25:05
|
and lets say section, section or access list
|
|
0:25:12
|
or interface, that should be everything
|
|
0:25:16
|
so we have aaa on
|
|
0:25:18
|
we have the default
|
|
0:25:20
|
log in authentication mechanism which is going to radius
|
|
0:25:24
|
this one here thats protecting so that we don't lock yourself with the console or the vty line
|
|
0:25:30
|
auth-proxy authorisation is going to radius
|
|
0:25:34
|
we then we have to rule
|
|
0:25:36
|
since for web traffic look at this access list
|
|
0:25:40
|
that access list the trigger acl
|
|
0:25:45
|
is saying that for any web traffic we are going to trigger the request
|
|
0:25:52
|
and the request is happening when the packets come
|
|
0:25:56
|
in on this interface
|
|
0:26:04
|
so lets this same example now lets change this around so we using tacacs
|
|
0:26:09
|
really the only thing we change here
|
|
0:26:11
|
is that these 2 groups the aaa authentication
|
|
0:26:14
|
log in default would go to tacacs
|
|
0:26:17
|
and the authorisation auth-proxy would go to tacacs as well
|
|
0:26:22
|
and again this is assuming that the acs server is already staged
|
|
0:26:25
|
so that the router 1 is a radius client and that is a tacacs client
|
|
0:26:31
|
so that was pretty configured from our exercises before
|
|
0:26:33
|
but you would have to make sure thats the case
|
|
0:26:37
|
so lets change these two now to tacacs
|
|
0:26:43
|
and if we do show run in aaa
|
|
0:26:47
|
we see now they are using tacacs instead of radius
|
|
0:26:50
|
so lets specify the tacacs server address
|
|
0:26:53
|
is 10.0.0.100
|
|
0:26:55
|
the key is cisco
|
|
0:26:58
|
then we are going to debug tacacs
|
|
0:27:02
|
authorisation and debug tacacs authentication
|
|
0:27:10
|
now this a little bit different then the radius configuration
|
|
0:27:14
|
on the aaa server the key here is that we need to go to the interface configuration
|
|
0:27:19
|
under tacacs
|
|
0:27:21
|
we need to define a new custom service
|
|
0:27:26
|
now there is two ways to define a service we can either do it on the user basis or define it on the group basis
|
|
0:27:33
|
depends on exactly where we want the
|
|
0:27:36
|
the per user access list to be configured
|
|
0:27:40
|
so this case I will use both of them lets say the for the user end group the service is going to be
|
|
0:27:46
|
auth-proxy
|
|
0:27:52
|
so now if we were to go to an individual user
|
|
0:27:56
|
lets say that this is tacacs proxy is the user name
|
|
0:28:02
|
we should now see a custom field here
|
|
0:28:07
|
under tacacs
|
|
0:28:09
|
that is for that specific service so auth-proxy
|
|
0:28:16
|
or enabling this now we need to know what are the custom attributes
|
|
0:28:20
|
So its going to be similar to
|
|
0:28:22
|
what we saw before with the RADIUS
|
|
0:28:26
|
except we don't have the, the prefix of it, auth-proxy:
|
|
0:28:32
|
so we essentially could take the same
|
|
0:28:35
|
ACL configuration that we had before
|
|
0:28:39
|
and just remove this first portion, which says auth-proxy:
|
|
0:28:53
|
So these are the custom attributes
|
|
0:28:59
|
Can it set a blank password for user unless they are voice
|
|
0:29:01
|
group or a password here
|
|
0:29:06
|
So the password is cisco
|
|
0:29:10
|
So this is username TACAC proxy
|
|
0:29:14
|
password cisco, if we now go back to the test pc
|
|
0:29:19
|
we see right now that the pings are going through
|
|
0:29:23
|
what I am going to do is go to router1
|
|
0:29:25
|
if we look at the show ip auth-proxy cache
|
|
0:29:31
|
we see that, that particular client
|
|
0:29:33
|
has an authentication session
|
|
0:29:37
|
and the idle time out is, 60, its must be 60 minutes
|
|
0:29:42
|
and the time remaining 60 minutes
|
|
0:29:44
|
we could again, we could change these particular
|
|
0:29:47
|
timers, so that it times out sooner
|
|
0:29:50
|
but if I want to manually clear this, I can just say clear ip auth-proxy cache
|
|
0:29:55
|
then * for all users
|
|
0:29:58
|
the result of this is now when we show access list
|
|
0:30:01
|
we should see that those
|
|
0:30:04
|
proxy ACL entries are now deleted
|
|
0:30:06
|
which means that the test pc is going to start to drop its packet
|
|
0:30:10
|
properly pings
|
|
0:30:18
|
so, now these are being denied from router1, inside in
|
|
0:30:23
|
access list
|
|
0:30:27
|
So next lets authenticate again, lets open up the
|
|
0:30:30
|
the web session, and technically the address you use here
|
|
0:30:33
|
it doesn't even really matter what it is
|
|
0:30:36
|
as long as it is something that transits through router1's interface
|
|
0:30:41
|
So I could do the web browsing here to go to
|
|
0:30:44
|
lets 10.0.6.99
|
|
0:30:49
|
some address that isn't necessarily allocated
|
|
0:30:52
|
but as long as the
|
|
0:30:53
|
the traffic transits through router1's interface
|
|
0:30:57
|
lets say 10.0.6.99
|
|
0:31:00
|
as long as it is port 80 that is transiting through the interface
|
|
0:31:03
|
then its going to generate these login box
|
|
0:31:07
|
So if you would actually do this for you users, end users
|
|
0:31:10
|
what you would probably do is take some dummy address
|
|
0:31:13
|
and then just create a shortcut on the desktop
|
|
0:31:16
|
that says something like click here to log in
|
|
0:31:19
|
before you do the web browsing, or technically any destination, they would browse to
|
|
0:31:24
|
on the internet, would automatically generate the login box for them
|
|
0:31:30
|
So now lets login as
|
|
0:31:32
|
tacacs proxy, was the user, password is cisco
|
|
0:31:41
|
authentication is successful
|
|
0:31:45
|
we could see now the pings are going through
|
|
0:31:46
|
So if we look at router1
|
|
0:31:49
|
it should basically be the same
|
|
0:31:54
|
same result, that when we look at the, the show access list
|
|
0:32:00
|
those dynamic entries are now been downloaded
|
|
0:32:04
|
and if we look at the show ip auth-proxy cache
|
|
0:32:09
|
we see this particular client has authenticated
|
|
0:32:16
|
and the debugging is on, lets see is logging on
|
|
0:32:21
|
logging is on, we may need to say debug AAA authentication
|
|
0:32:27
|
as opposed to debug TACACS, So lets try this again, lets say
|
|
0:32:31
|
clear ip auth-proxy cache *
|
|
0:32:42
|
user is tacacs proxy
|
|
0:32:51
|
So we could see router1 is requesting the service=auth-proxy
|
|
0:32:55
|
then you can actually see the payload of the packet like you can in RADIUS
|
|
0:32:59
|
but we know the access list is downloading
|
|
0:33:01
|
because if we look at the show access list
|
|
0:33:08
|
So access list, we can see that the entries are included there
|
