Hi Folks, Here a couple of things I could observe for auth proxy on IOS and ASA, Using radius and tacacs.
I'm sharing it mostly to check if I missed something and because some might be interested. That's far from being exhaustive. ASA: -Best to use radius as it supports dACL -dACL (proxyACL#) with tacacs is not possible, however setting the attribute Access-List in ACS shell profile and referring to a local access list works for me. -Cut Through proxy are seen as Command authorization for command http with the destination IP address as argument which make it challenging to match those request in ACS authorization. IOS: -Since 15(1) we are supposed to be able to specify auth list and get rid of this bad aaa authentication login default: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-i1.html#wp1883376729 However it doesn't seem to work for me on 15.2(3). If you set up authorization, it removes the previous one (whether the name are the same or not)... R1(config)#ip admission name PROXY method-list authorization TACAUTH R1(config)#ip admission name PROXY method-list authentication TACAUTH R1(config)#do sh run | i PROXY ip admission name PROXY proxy http ip admission name PROXY method-list authentication TACAUTH R1(config)#ip admission name PROXY method-list authorization TACAUTH R1(config)#do sh run | i PROXY ip admission name PROXY proxy http ip admission name PROXY method-list authorization TACAUTH -dACL are now supported with radius. I could make dynamic authrozation without using that proxyacl# stuff. Not really sure what is minimum version though. -IOS uses service-argument auth-proxy, so we can make a compound condition in ACS to match very specifically AuthProxy authorization request. -Tacacs shell profile with proxyacl# are honoured by the router. Cheers, Bastien
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc