-
Cisco IOS Security Configuration Guide: Securing User Services, Release 12.2SR
-
Securing User Services Overview
-
Autosecure
- Authentication, Authorization, and Accounting (AAA)
- Security Server Protocols
- RADIUS and TACACS+ Attributes
- Secure Shell (SSH)
-
Cisco IOS Login Enhancements (Login Block)
-
Cisco IOS Resilient Configuration
-
Image Verification
-
IP Source Tracker
-
Role-Based CLI Access
-
Table Of Contents
Transparent Bridging Support for Authentication Proxy
Restrictions for Transparent Bridging Support for Authentication Proxy
Information About Transparent Bridging Support for Authentication Proxy
How to Configure Transparent Authentication Proxy
Configuration Examples for Transparent Authentication Proxy
Authentication Proxy in Transparent Bridge Mode: Example
Authentication Proxy in Concurrent Route Bridge Mode: Example
Authentication Proxy in Integrated Route Bridge Mode: Example
Feature Information for Transparent Authentication Proxy
Transparent Bridging Support for Authentication Proxy
First Published: June 29, 2007Last Updated: October 9, 2009The Transparent Bridging Support for Authentication Proxy feature allows network administrators to configure transparent authentication proxy on existing networks without having to reconfigure the statically defined IP addresses of their network-connected devices. The result is that security policies are dynamically authenticated and authorized on a per user basis, which eliminates the tedious and costly overhead required to renumber devices on the trusted network.
Authentication proxy rules on bridged interfaces can coexist with router interfaces on the same device, whenever applicable, which allows administrators to deploy different authentication proxy rules on bridged and routed domains.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Transparent Authentication Proxy" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•
Restrictions for Transparent Bridging Support for Authentication Proxy
•
•
•
•
Restrictions for Transparent Bridging Support for Authentication Proxy
Authentication Proxy is not supported on vLAN trunk interfaces that are configured in a bridge group.
Information About Transparent Bridging Support for Authentication Proxy
Authentication proxy provides dynamic, per-user authentication and authorization of network access connections to enforce security policies. Typically, authentication proxy is a Layer 3 functionality that is configured on routed interfaces with different networks and IP subnets on each interface.
Integrating authentication proxy with transparent bridging enables network administrators to deploy authentication proxy on an existing network without impacting the existing network configuration and IP address assignments of the hosts on the network.
Transparent Bridging Overview
If configured for bridging, a Cisco IOS device can bridge any number of interfaces. The device can complete basic bridging tasks such as learning MAC addresses on ports to restrict collision domains and running Spanning Tree Protocol (STP) to prevent looping in the topology.
Within bridging, a user can configure Integrated Routed Bridging (IRB), which allows a device to bridge on some interfaces while a Layer 3 Bridged Virtual Interface (BVI) is presented for routing. The bridge can determine whether the packet is to be bridged or routed on the basis of the destination of the Layer 2 or Layer 3 IP address in the packet. Configured with an IP address, the BVI can manage the device even if no interface is configured for routing.
How to Configure Transparent Authentication Proxy
To configure authentication proxy on bridged interfaces, you must configure the interface in a bridge group and apply an authentication proxy rule on the interface. You must also set up and configure the authentication, authorization, and accounting (AAA) server (Cisco ACS) for authentication proxy. For examples on how to configure authentication proxy on a bridged interface, see the section, "Configuration Examples for Transparent Authentication Proxy" section.
Configuration Examples for Transparent Authentication Proxy
This section contains the following configuration examples, which show how to configure authentication proxy on a bridged interface:
•
•
•
Authentication Proxy in Transparent Bridge Mode: Example
The following example (see Figure 1) shows how to configure authentication proxy in a transparent bridged environment in which network users (that is, hosts on the bridged interface FastEthernet 5/0) are challenged for user credentials before being given access to protected resources.
Figure 1 Authentication Proxy in Transparent Bridging Mode: Sample Topology
aaa new-model!aaa authentication login default group radiusaaa authorization auth-proxy default group radiusaaa accounting auth-proxy default start-stop group radius!no ip routing!!no ip cef!ip auth-proxy name AuthRule http inactivity-time 60!interface FastEthernet5/0ip address 10.0.0.2 255.255.255.0ip auth-proxy AuthRuleip access-group 100 inno ip route-cacheduplex autospeed autobridge-group 1!interface FastEthernet5/1no ip addressno ip route-cacheduplex autospeed autobridge-group 1!ip http serverip http secure-server!radius-server host 10.0.0.5 auth-port 1645 acct-port 1646radius-server key cisco!bridge 1 protocol ieee!Router# show ip auth-proxy cacheAuthentication Proxy CacheClient Name AuthRule, Client IP 10.0.0.1, Port 1100,timeout 60, Time Remaining 60, state ESTABAuthentication Proxy in Concurrent Route Bridge Mode: Example
Concurrent routing and bridging configuration mode allows routing and bridging to occur in the same router; however, the given protocol is not switched between the two domains. Instead, routed traffic is confined to the routed interfaces and bridged traffic is confined to the bridged interfaces.
The following example (see Figure 2) shows how to configure authentication proxy in a concurrent routing and bridging environment in which network users (that is, hosts on the bridged interface FastEthernet 5/0) are challenged for user credentials before being given access to protected resources.
Figure 2 Authentication Proxy in Concurrent Route Bridge Mode: Sample Topology
aaa new-model!aaa authentication login default group radiusaaa authorization auth-proxy default group radiusaaa accounting auth-proxy default start-stop group radiusb!ip cef!bridge crb!ip auth-proxy name AuthRule http inactivity-time 60!interface FastEthernet5/0ip address 10.0.0.2 255.255.255.0ip auth-proxy AuthRuleip access-group 100 inno ip route-cacheduplex autospeed autobridge-group 1!interface FastEthernet5/1no ip addressno ip route-cacheduplex autospeed autobridge-group 1!ip http serverip http secure-server!radius-server host 10.0.0.5 auth-port 1645 acct-port 1646radius-server key cisco!bridge 1 protocol ieee!Router# show ip auth-proxy cacheAuthentication Proxy CacheClient Name AuthRule, Client IP 10.0.0.1, Port 1145,timeout 60, Time Remaining 60, state ESTABAuthentication Proxy in Integrated Route Bridge Mode: Example
In an integrated routing and bridging environment, a bridged network is interconnected with a router network. Both routing and bridging can occur in the same router with connectivity between routed and bridged domains.
The following example (see Figure 3) shows how to configure authentication proxy in an integrated routing and bridging environment in which network users (that is, hosts on the bridged interface FastEthernet 5/0) are challenged for user credentials before being given access to protected resources.
Figure 3 Authentication Proxy in Integrated Route Bridge Mode: Sample Topology
!aaa new-model!aaa authentication login default group radiusaaa authorization auth-proxy default group radiusaaa accounting auth-proxy default start-stop group radius!ip cef!ip auth-proxy name AuthRule http inactivity-time 60!bridge irb!interface FastEthernet3/0no ip addressduplex halfbridge-group 1!interface FastEthernet5/0no ip addressip auth-proxy AuthRuleip access-group 100 induplex autospeed autobridge-group 1!interface FastEthernet5/1no ip addressduplex autospeed autobridge-group 1!interface BVI1ip address 10.0.0.25 255.255.255.0!!ip route 11.0.0.0 255.255.255.0 10.0.0.7!ip http serverip http secure-server!radius-server host 11.0.0.5 auth-port 1645 acct-port 1646radius-server key cisco!bridge 1 protocol ieeebridge 1 route ip!Router# show ip auth-proxy cacheAuthentication Proxy CacheClient Name AuthRule, Client IP 10.0.0.1, Port 1100,timeout 60, Time Remaining 60, state ESTABAdditional References
The following sections provide references related to the Transparent Bridging Support for Authentication Proxy feature.
Related Documents
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Feature Information for Transparent Authentication Proxy
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007-2009 Cisco Systems, Inc. All rights reserved.
