Well It all depends on whether you want to use it or not. With the configuration below it will authenticate all traffic in on the interface. If you only wanted to authenticate SSH, telnet, and Web traffic thru the box you could do
ip access-ilst extended AUTH_LIST permit tcp any any eq 80 443 ip admission name AUTH_PROXY_CONSENT consent list AUTH_LIST param-map AUTH_PROXY_CONSENT I also left the following out earlier aaa new-model aaa authentication login default group tacacs+ aaa authorization auth-proxy default group tacacs+ ! ip http server enable ip http secure-server tacacs-server host 10.1.1.100 key ipexpert And then your Attributes in TACACS Under Interface Configuration Add New Service "auth-proxy" And Under the user or group priv-lvl=15 proxyacl#1=permit ip any any Or Whatever you do of course. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com -----Original Message----- From: Mack, David A (Dave) [mailto:[email protected]] Sent: Wednesday, July 07, 2010 11:02 PM To: Tyson Scott; [email protected] Subject: RE: [OSL | CCIE_Security] Auth-Proxy Consent Tyson, Thanks for the response! I do have the VoD for v3 Security Lab. I will look through it. You example seems to be missing the INTERCEPT access-list. Can you provide that? Thanks! Dave ______________________________________________________________ David A. Mack (703) 391-7787 (W) CCIE #6963 (SP and R&S) JNCIE-M #399 CISSP (703) 431-7617 (C) email: [email protected] ______________________________________________________________ "We are now the knights who say... Ping!" -----Original Message----- From: Tyson Scott [mailto:[email protected]] Sent: Wednesday, July 07, 2010 9:49 PM To: Mack, David A (Dave); [email protected] Subject: RE: [OSL | CCIE_Security] Auth-Proxy Consent David, I forget... do you have the video on demand? I know the example on there is pretty good. The configuration for it is in the slide-set for the VoD. I don't think I have ever seen a good example of it, I had to play around with it for a while before I was able to figure it out. Here is an example: ip access-list extended PRE_ACL deny tcp any any permit ip any any ! parameter-map type consent AUTH_PROXY_CONSENT logging enabled ! ip admission name AUTH_PROXY_CONSENT consent param-map AUTH_PROXY_CONSENT list INTERCEPT ip admission consent-banner text % Welcome to IPexpert. You Must accept the Terms of this agreement % ! interface FastEthernet0/0 ip admission AUTH_PROXY_CONSENT ip access-group PRE_ACL in Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Mack, David A (Dave) Sent: Wednesday, July 07, 2010 7:04 PM To: [email protected] Subject: [OSL | CCIE_Security] Auth-Proxy Consent Hello! I tried reading the Configuration Guide on this feature and the documentation is really hard to follow. Does anyone have any good references or basic examples? For example what is the minimal config? Thanks! Dave _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
