If you're looking to contain expenses by consolidating your network infrastructure or you want to extend the functionality of your network at minimum cost, your Cisco routers can help. In a previous article, we explained how to use the Cisco IOS to build a poor man's firewall. You can also run site-to-site VPNs with the Cisco IOS. Now, you can even use the Cisco IOS to run an HTTP proxy server.
Cisco's IOS proxy server
Many organizations use proxy servers to improve performance (through caching Web pages and graphics), to filter requests to certain sites, to make sure that only certain users can get to the Internet, or as a way of accounting for Web use (logging sites that users visit). Most proxy servers can perform all of these tasks. One of the popular examples would be Microsoft ISA Server, the new replacement for Microsoft Proxy Server 2.0.
Cisco Systems recently added the ability for its IOS to run a proxy server. This feature is now built into the IOS and is dubbed “IOS HTTP Authentication Proxy” or “HTTP auth-proxy." The feature is available in the 12.0.5.T Firewall releases (and above) of the IOS software. The HTTP auth-proxy is an interesting idea, but it does have certain limitations that may affect its suitability for your network.
How the IOS proxy server works
The IOS HTTP auth-proxy feature performs the typical tasks a proxy server is expected to do:
- · Caching
- · Authentication/authorization
- · Accounting
- · Filtering
An additional feature, which isn’t typically expected in a proxy server, is that auth-proxy is designed so that it works with a RADIUS or a TACACS+ authentication/authorization/accounting (AAA) server to download your profile and allow you access only to the networks, sites, protocols, or ports listed in that profile. In the case of the Cisco IOS proxy server, this list is really a Cisco IOS access list.
IOS access lists are designed to be very granular. Typically, “very granular” translates into “hard to configure,” and that is the case here. If you're already familiar with access lists, this won’t be a problem for you. If not, I'd suggest that you read a couple of good articles on the subject, such as "Understanding the basics of Cisco IP access control lists" and "Get secure with Cisco extended IP access control lists."
The access list created for the user while he or she uses the proxy server is dynamic and stays in place on the router only while the user continues to utilize the opened connections. If the user stops using the proxy server, the access list will be removed after the “auth-cache-time” parameter expires on the router.
Another important stipulation is that auth-proxy works with only a limited number of RADIUS and TACACS+ servers:
- · CiscoSecure Access Control Server (ACS)
- · Ascend RADIUS server
- · Livingston RADIUS server
The limitation exists because the server isn’t just authorizing the username and password to allow or prevent access to a Web request—it's actually providing the router with the IOS access list that is applied for the given username. That means that each user could have an access list of servers, ports, and/or protocols that he or she is allowed to access. If you want to evaluate an AAA server or use one for testing purposes, Cisco offers a free 90-day trial version of its Cisco Secure ACS server for Windows and UNIX. (This link requires a Cisco CCO login.)
Also, it's important to note that the connection out of the firewall is created first by the end-user workstation making an HTTP request. After that, other ports can be opened based on the profile stored on the AAA server. Thus, since the initial request must be made by a Web browser, this solution is not a complete one-to-one substitute for the typical Microsoft ISA Server (or Proxy Server 2.0) solution, where you run a proxy/firewall client and can go through the proxy server to make the initial request with any application that needs to access the Internet. In other words, the Cisco HTTP proxy is primarily just that—a proxy server for handling Web requests.
As a result, using Cisco’s authentication proxy is probably not for the small office or someone who is looking for a quick and easy proxy server, and it isn’t the ideal replacement for Microsoft ISA or Proxy Server. The IOS authentication proxy fulfills a certain niche: managing and controlling Web browsing with security and precision. Of course, if you don't want your client machines to have other multiple applications (running multiple protocols) accessing the Internet, this is an excellent solution.
While authentication proxy is compatible with Cisco’s IOS Firewall, network address translation (NAT), content based access control (CBAC), and VPN features, the more of these features you combine on one router, the more complex the configuration and troubleshooting become. So for the purposes of this article, we’ll stick to a basic configuration as an example. I’ll base my Cisco IOS proxy server example on Cisco’s article "Authentication Proxy Authentication Outbound – no CBAC or NAT configuration."
Configuring the IOS proxy server
First, you’ll need a Cisco router in place with Firewall IOS version 12.0.5.T or later (preferably a later version, since the IOS is now up to 12.2). You’ll also need one of the RADIUS or TACACS+ servers mentioned earlier running on your network. The router will be the HTTP proxy connection to the external network (be it the Internet or just a Web server that you want to protect with authentication). The AAA server will be the point that provides authentication (by your username and password) and authorization of what you will be allowed to access once you are authenticated. (The access list given to the router from the server.)
Next, you can configure your router with the proper commands, shown in Listing A.
Finally, you need to be ready to troubleshoot your configuration because, based on my experience, I wouldn’t expect this to work the first time it is configured. You’ll need to look at the log on your RADIUS or TACACS+ server to see the successful and failed authentications. You can use the IOS debug commands to see what the router is doing:
debug aaa authentication
debug aaa authorization
debug ip auth-proxy object-creation
debug ip http authorization
debug ip packet detail [don't perform this on a production router]
And of course, you have the IOS show commands, which can also aid your troubleshooting efforts:
show ip access-lists
show ip auth-proxy cache
show ip auth-proxy configuration
HTTP authentication proxy is another of the many fascinating features of the Cisco IOS. In its current state, I don’t foresee it becoming the standard office proxy server, but it's a good tool for administrators to add to their collection of possible solutions. If you want to restrict Internet access to Web browsing, this solution could be a money-saver, allowing you to circumvent the purchase of a separate proxy server or appliance. It also provides strong authentication and auditing features that could be a nice asset for your network security.
Links and references
Cisco: Implementing Authentication Proxy
Cisco: Troubleshooting Authentication Proxy
Cisco: Authentication Proxy Authentication Outbound – No CBAC or NAT Configuration
Cisco: Authentication Proxy Accounting for HTTP
Cisco: RADIUS Support Page
Cisco: TACACS+ Support Page
Cisco: Configuring Authentication Proxy
Cisco: Authentication Proxy Commands
Cisco: Cisco Secure Access Control Server
Cisco: Cisco Secure Access Control Server Download Page