Consent Feature for Cisco IOS Routers

Authentication proxy is an ingress authentication feature that grants access to an end user (out an interface) only if the user submits valid username and password credentials for an ingress traffic that is destined for HTTP, Telnet, or FTP protocols. After the submitted authentication credentials have been checked against the credentials that are configured on an Authentication, Authorization, Accounting (AAA) server, access is granted to the requester (source IP address).

When an end user posts an HTTP(S), FTP, or Telnet request on a router's authentication-proxy-enabled ingress interface, the Network Authenticating Device (NAD) verifies whether or not the same host has already been authenticated. If a session is already present, the ingress request is not authenticated again, and it is subjected to the dynamic (Auth-Proxy) ACEs and the ingress interface ACEs. If an entry is not present, the authentication proxy responds to the ingress connection request by prompting the user for a valid username and password. When authenticated, the Network Access Profiles (NAPs) that are to be applied are either downloaded from the AAA server or taken from the locally configured profiles.

The HTTP authentication proxy webpage has been extended to support radio buttons--"Accept" and "Don't Accept"--for the consent webpage feature. The consent webpage radio buttons are followed by the authentication proxy input fields for a username and a password. (See the figure below.)

The following consent scenarios are possible:

• If consent is declined (that is, the "Don't Accept" radio button is selected), the authentication proxy radio buttons are disabled. The ingress client session's access will be governed by the default ingress interface ACL.
• If consent is accepted (that is, the "Accept" radio button is selected), the authentication proxy radio buttons are enabled. If the wrong username and password credentials are entered, HTTP-Auth-Proxy authentication will fail. The ingress client session's access will again be governed only by the default ingress interface ACL.
• If consent is accepted (that is, the "Accept" radio button is selected) and valid username and password credentials are entered, HTTP-Auth-Proxy authentication is successful. Thus, one of the following possibilities can occur:
  • If the ingress client session's access request is HTTP_GET, the destination webpage will open and the ingress client session's access will be governed by the default ingress interface ACL and the dynamic (Auth-Proxy) ACEs.
  • If the ingress client session's access request is HTTPS_GET, a "Security Dialogue Box" will be displayed on the client's browser. If the user selects YES on the Security Dialogue Box window, the destination webpage will open and the ingress client session's access will be governed by the default ingress interface ACL and the dynamic (Auth-Proxy) ACEs. If the user selects NO on the Security Dialogue Box window, the destination page will not open and the user will see the message "Page cannot be displayed." However the ingress client session's access will still be governed by the default ingress interface ACL and the dynamic (Auth-Proxy) ACEs.

Note

When HTTP authentication proxy is configured together with the Consent feature, any HTTP authentication proxy-related configurations or policies will override the Consent Page-related configurations or policies. For example, if the ip admission name admission-name consentcommand is configured, the ip admission consent banner command is ignored, and only the banner that is configured by the ip admission auth-proxy-banner command is shown.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ip admission name admission-name consent [[absolute-timer minutes] [event] [inactivity-time minutes] [list {acl | acl-name}] [parameter-map consent-parameter-map-name]]

4.    ip admission consent banner [file file-name | text banner-text]

5.    interface type number

6.    ip admission admission-name

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip admission name admission-name consent [[absolute-timer minutes] [event] [inactivity-time minutes] [list {acl | acl-name}] [parameter-map consent-parameter-map-name]] Example: Router(config)# ip admission name consent_rule consent absolute-timer 304 list 103 inactivity-time 204 parameter-map consent_parameter_map	Defines the IP admission rule for authentication proxy consent.
Step 4	ip admission consent banner [file file-name | text banner-text] Example: Router(config)# ip admission consent banner file flash:consent_page.html	(Optional) Displays a banner in the authentication proxy consent webpage.
Step 5	interface type number Example: Router(config)# interface FastEthernet 0/0	Specifies the interface in which the consent IP admission rule will be applied and enters interface configuration mode.
Step 6	ip admission admission-name Example: Router(config-if)# ip admission consent_rule	Applies the IP admission rule created in Step 3 to an interface.

• Troubleshooting Tips
  

Router# debug ip admission consent errors
 
IP Admission Consent Errors debugging is on 
Router# debug ip admission consent events
 
IP Admission Consent Events debugging is on 
Router# debug ip admission consent messages
 
IP Admission Consent Messages debugging is on 
Router# 
Router# show debugging
 
IP Admission Consent: 
IP Admission Consent Errors debugging is on 
IP Admission Consent Events debugging is on 
IP Admission Consent Messages debugging is on 

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    parameter-map type consent parameter-map-name

4.    copy src-file-name dst-file-name

5.    file file-name

6.    authorize accept identity identity-policy-name

7.    timeout file download minutes

8.    logging enabled

9.    exit

10.    show parameter-map type consent [parameter-map-name]

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	parameter-map type consent parameter-map-name Example: Router(config)# parameter-map type consent consent_parameter_map	Defines an authentication proxy consent-specific parameter map and enters parameter-map type consent configuration mode. To use a default policy-map, enter default for the parameter-map-name.
Step 4	copy src-file-name dst-file-name Example: Router(config-profile)# copy tftp://192.168.104.136/consent_page.html flash:consent_page.html	Transfers a file (consent webpage) from an external server to a local file system on your device.
Step 5	file file-name Example: Router(config-profile)# file flash:consent_page.html	(Optional) Specifies a local filename that is to be used as the consent webpage.
Step 6	authorize accept identity identity-policy-name Example: Router(config-profile)# authorize accept identity consent_identity_policy	(Optional) Configures an accept policy. Note    Currently, only an accept policy can be configured.
Step 7	timeout file download minutes Example: Router(config-profile)# timeout file download 35791	(Optional) Specifies how often the consent page file should be downloaded from the external TFTP server.
Step 8	logging enabled Example: Router(config-profile)# logging enabled	(Optional) Enables syslog messages.
Step 9	exit Example: Router(config-profile )# exit Example: Router(config)# exit	Returns to global configuration and privileged EXEC modes.
Step 10	show parameter-map type consent [parameter-map-name] Example: Router# show parameter-map type consent	(Optional) Displays all or a specified configured consent profiles.