Using Authentication Proxy we can authenticate users when they are trying to open a web-site, through IOS device and presenting an authentication page to login.
After authentication, Cisco Secure ACS or a RADIUS/TACACS server can authorize user and assign an access-list to permit users traffic to outside so user will be able to access internet after authentication. Auth-proxy also allows accounting for auditing and billing purposes.
Configuration Example:
aaa new-model
aaa authentication login default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa accounting auth-proxy default start-stop group tacacs+
!
aaa session-id common
!
ip tacacs source-interface Loopback0
!
tacacs-server host 169.254.0.3 key CISCO
!
ip auth-proxy auth-proxy-banner http ^C
Welcome to X-Network
Please Login
^C
ip auth-proxy name AUTHPROXY http inactivity-time 60 list AUTHTRIGGER
ip admission auth-proxy-banner http ^C
Successful Login Thanks ^C
!
!
!
interface Loopback0
ip address 150.1.1.1 255.255.255.255
!
interface Ethernet0/0
ip address 169.254.0.2 255.255.0.0
ip auth-proxy AUTHPROXY
!
interface Ethernet0/1
ip address 10.0.0.1 255.255.255.0
ip access-group AUTHACL out
!
ip http server
ip http authentication aaa
!
!
!
ip access-list extended AUTHACL
deny ip any host 10.0.0.2
permit ip any any
ip access-list extended AUTHTRIGGER
permit tcp any any eq www 443
!
Configuration on ACS:
