When a user initiates an HTTP session through the firewall, the authentication proxy is triggered. The authentication proxy first checks to see if the user has been authenticated. If a valid authentication entry exists for the user, the connection is completed with no further intervention by the authentication proxy. If no entry exists, the authentication proxy responds to the HTTP connection request by prompting the user for a username and password.
The figure below illustrates the authentication proxy HTML login page.
Figure 1. Authentication Proxy Login Page
Users must successfully authenticate themselves with the authentication server by entering a valid username and password.
If the authentication succeeds, the user’s authorization profile is retrieved from the AAA server. The authentication proxy uses the information in this profile to create dynamic access control entries (ACEs) and add them to the inbound (input) access control list (ACL) of an input interface and to the outbound (output) ACL of an output interface, if an output ACL exists at the interface. This process enables the firewall to allow authenticated users access to the network as permitted by the authorization profile. For example, a user can initiate a Telnet connection through the firewall if Telnet is permitted in the user’s profile.
If the authentication fails, the authentication proxy reports the failure to the user and prompts the user with multiple login retries. If the user fails to authenticate after five attempts, the user must wait two minutes and initiate another HTTP session to trigger authentication proxy.
Note |
The number of login retries is configurable. The default number of retries is five.
|
The login page is refreshed each time the user makes requests to access information from a web server.
The authentication proxy customizes each of the access list entries in the user profile by replacing the source IP addresses in the downloaded access list with the source IP address of the authenticated host.
At the same time that dynamic ACEs are added to the interface configuration, the authentication proxy sends a message to the user confirming that the login was successful. The figure below illustrates the login status in the HTML page.
Figure 2. Authentication Proxy Login Status Message
The authentication proxy sets up an inactivity (idle) timer for each user profile. As long as there is activity through the firewall, new traffic initiated from the user’s host does not trigger the authentication proxy, and authorized user traffic is permitted access through the firewall.
If the idle timer expires, the authentication proxy removes the user’s profile information and dynamic access lists entries. When this happens, traffic from the client host is blocked. The user must initiate another HTTP connection to trigger the authentication proxy.