Lab Configure Authentication Proxy

Similar documents
Lab Configure Cisco IOS Firewall CBAC

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Firewall Authentication Proxy for FTP and Telnet Sessions

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Lab Configure IOS Firewall IDS

Lab a Configure Remote Access Using Cisco Easy VPN

Lab 2.5.2a Configure SSH

Lab Configure Intrusion Prevention on the PIX Security Appliance

Lab Exercise Configure the PIX Firewall and a Cisco Router

Lab Developing ACLs to Implement Firewall Rule Sets

Lab Configure Remote Access Using Cisco Easy VPN

Connect the Host to attach to Fast Ethernet switch port Fa0/2. Configure the host as shown in the topology diagram above.

CCNA Discovery Networking for Homes and Small Businesses Student Packet Tracer Lab Manual

November 19, 2003 Page 1 of 12

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

Lab Configuring LEAP/EAP using Local RADIUS Authentication

Lab Configuring Access Policies and DMZ Settings

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Lab Configuring the PIX Firewall as a DHCP Server

Configure Cisco IOS Firewall to use stateful packet inspection for IPv6. Configure Cisco IOS Firewall to use packet filtering for IPv6.

Lab Diagramming Intranet Traffic Flows

Configuring the PIX Firewall with PDM

Dynamic DNS How-To Guide

Lab Configure Local AAA on Cisco Router

Lab 6.1 Configuring a Cisco IOS Firewall Using SDM

Lab Configure a PIX Firewall VPN

Securing Networks with PIX and ASA

Configuring Devices for Use with Cisco Configuration Professional (CCP) 2.5

Remote Access VPN Business Scenarios

Cisco Configuring Commonly Used IP ACLs

Virtual Fragmentation Reassembly

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

D-Link DAP-1360 Repeater Mode Configuration

CS 326e F2002 Lab 1. Basic Network Setup & Ethereal Time: 2 hrs

Lab Conducting a Network Capture with Wireshark

Lab Configuring Access Policies and DMZ Settings

Lab Configure Syslog on AP

Lab - Using Wireshark to View Network Traffic

Lab Configuring PAT with SDM and Static NAT using Cisco IOS Commands

Lab 7: Firewalls Stateful Firewalls and Edge Router Filtering

CCNA Access List Sim

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

Using LiveAction with Cisco Secure ACS (TACACS+ Server)

Best Practices: Pass-Through w/bypass (Bridge Mode)

How To Industrial Networking

Lab Creating a Logical Network Diagram

Immotec Systems, Inc. SQL Server 2005 Installation Document

Qvis Security Technical Support Field Manual LX Series

RingCentral Office. Configure Aastra phones with RingCentral

ISE TACACS+ Configuration Guide for Cisco NX-OS Based Network Devices. Secure Access How-to User Series

IOS Zone Based Firewall Step-by-Step Basic Configuration

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Lab 8.3.3b Configuring a Remote Router Using SSH

Lab Diagramming External Traffic Flows

User guide. Business

Lab Configure Basic AP Security through IOS CLI

Lab - Observing DNS Resolution

Firewall Stateful Inspection of ICMP

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Lab - Observing DNS Resolution

Troubleshooting the Firewall Services Module

Lab 8: Confi guring QoS

How to add a SIP server How to register a handset

Firewall Stateful Inspection of ICMP

IIS, FTP Server and Windows

Lab Characterizing Network Applications

Table of Contents. Configuring IP Access Lists

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

DSL-G604T Install Guides

Lab 1: Network Devices and Technologies - Capturing Network Traffic

Configuring PA Firewalls for a Layer 3 Deployment

Remote PC Guide for Standalone PC Implementation

HTTP 1.1 Web Server and Client

Central America Workshop - Guatemala City Guatemala 30 January - 1 February 07. IPv6 Security

If you are unable to set up your Linksys Router by using one of the above options, use the steps below to manually configure your router.

CRESTRON-APP-ANDROID Control App for Android

freesshd SFTP Server on Windows

Skills Assessment Student Training Exam

Lab 5.5 Configuring Logging

Configuring CSS Remote Access Methods

SMC7004ABR Barricade Broadband Router Installation Instructions

Lab Analyzing Network Traffic

SECURE FTP CONFIGURATION SETUP GUIDE

Configuring WCCP v2 with Websense Content Gateway the Web proxy for Web Security Gateway

How To Block On A Network With A Group Control On A Router On A Linux Box On A Pc Or Ip Access Group On A Pnet 2 On A 2G Router On An Ip Access-Group On A Ip Ip-Control On A Net

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

School of Information Science (IS 2935 Introduction to Computer Security, 2003)

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

P and FTP Proxy caching Using a Cisco Cache Engine 550 an

RingCentral Office. Configure Grandstream phones with RingCentral. To contact RingCentral, please visit or call

nexvortex Setup Guide

LAB THREE STATIC ROUTING

Basics of Port Forwarding on a Router for Security DVR s

H3C SSL VPN RADIUS Authentication Configuration Example

Firewall VPN Router. Quick Installation Guide M73-APO09-380

How to configure Linksys SPA for VOIP Connections

Integrating with IBM Tivoli TSOM

Transcription:

Lab 6.1.4 Configure Authentication Proxy Objective Scenario Topology In this lab exercise, the students will complete the following tasks: Configure Cisco Secure Access Control Server (CSACS) for Windows 2000. Configure authentication, authorization, and accounting (AAA). Configure an authentication proxy. Test and verify an authentication proxy. A company wants to require users to authenticate internally before accessing external web and ftp resources on the Internet. The security policy has been updated accordingly. As an IT administrator, configure the perimeter router to act as an authentication proxy in order to meet the security policy requirements. This figure illustrates the lab network environment. 1-7 Network Security 1 v2.0 Lab 6.1.4 Copyright 2005, Cisco Systems, Inc.

Preparation Begin with the standard lab topology and verify the starting configuration on the pod routers. Test the connectivity between the pod routers. Access the perimeter router console port using the terminal emulator on the Windows 2000 server. If desired, save the router configuration to a text file for later analysis. Refer back to the Student Lab Orientation if more help is needed. In preparation for this lab, CSACS should be configured with a user in the Default Group with a username of aaauser and aaapass as the password. Tools and resources In order to complete the lab, the following is required: Standard IOS Firewall lab topology Console cable HyperTerminal Additional materials Cisco Secure Access Control Server (CSACS) 3.3 or later for Windows 2000 Further information about the objectives covered in this lab can be found at the following websites: http://www.cisco.com/en/us/products/sw/iosswrel/ps1831/products_configuration_guide_chapter091 86a00800d981d.html http://www.cisco.com/en/us/products/sw/iosswrel/ps5187/products_command_reference_book0918 6a008017cf42.html Command list In this lab exercise, the following commands will be used. Refer to this list if assistance or help is needed during the lab exercise. Command aaa authentication aaa authorization aaa new-model debug aaa authentication ip auth-proxy ip http tacacs-server Description Defines AAA authentication parameters. Defines AAA authorization parameters. Enables AAA. Enables AAA authentication debugging. Defines authentication proxy rules. Defines HTTP settings. Defines TACACS Server settings. 2-7 Network Security 1 v2.0 Lab 6.1.4 Copyright 2005, Cisco Systems, Inc.

Step 1 Configure CS ACS for Windows 2000 a. On the workstation, open Cisco Secure ACS from the desktop. b. Click Interface Configuration on the far left column of CSACS to go to the Interface Configuration window. c. Click TACACS+ (Cisco IOS) to configure this option. Scroll down to the New Services frame. d. Select the first line under New Services and enter auth-proxy under Services. Select the checkbox next to the field where auth-proxy has been entered. Make sure to check the check box directly to the left of the Service field. e. Under Advanced Configuration Options, choose Advanced TACACS+ Features if it is not already selected. f. Click Submit to submit the changes. g. Click Group Setup to open the Group Setup window. Select 0: Default Group (1 user) in the Group drop-down menu. Click the Edit Settings button to go to the Group Setup for this group. h. Scroll down to the auth-proxy check box and the Custom attributes check box near the bottom of the Group Settings frame. Check both the auth-proxy check box and the Custom attributes check box. i. Enter the following in the Custom attributes box. proxyacl#1=permit tcp any any priv-lvl=15 j. Click the Submit + Restart button to submit the changes and restart CSACS. Wait for the interface to return to the Group Setup main window. 1. Did CSACS restart successfully? Step 2 Configure AAA To configure AAA, complete the following steps: a. On the router, enter global configuration mode. RouterP# configure terminal b. Enable AAA. RouterP(config)# aaa new-model 1. The aaa? command provides what options? c. Specify the authentication protocol. RouterP(config)# aaa authentication login default group tacacs+ d. Specify the authorization protocol. RouterP(config)# aaa authorization auth-proxy default group tacacs+ 3-7 Network Security 1 v2.0 Lab 6.1.4 Copyright 2005, Cisco Systems, Inc.

e. Define the TACACS+ server and its key. RouterP(config)# tacacs-server host 10.0.P.12 Note If ACS is running on a computer other than the student PC, this IP address will be different. (P=pod number.) RouterP(config)# tacacs-server key secretkey Step 3 Define the ACLs to Allow TACACS+ Traffic a. Define the ACLs to allow TACACS+ traffic to the inside interface from the AAA server. Also allow outbound Internet Control Message Protocol (ICMP) traffic as well as FTP and WWW traffic. Block all other inside initiated traffic. RouterP(config)# access-list 101 permit tcp host 10.0.P.12 eq tacacs host 10.0.P.2 RouterP(config)# access-list 101 permit icmp any any RouterP(config)# access-list 101 permit tcp 10.0.P.0 0.0.0.255 any eq ftp RouterP(config)# access-list 101 permit tcp 10.0.P.0 0.0.0.255 any eq www RouterP(config)# access-list 101 deny ip any any (where P = pod number) b. Define the ACLs to allow inbound ICMP traffic as well as FTP and WWW traffic to the inside web or FTP server. Block all other outside initiated traffic. RouterP(config)# access-list 102 permit eigrp any any RouterP(config)# access-list 102 permit icmp any any RouterP(config)# access-list 102 permit tcp any host 10.0.P.10 eq ftp RouterP(config)# access-list 102 permit tcp any host 10.0.P.10 eq www RouterP(config)# access-list 102 deny ip any any c. Enable the router HTTP server for AAA. RouterP(config)# ip http server RouterP(config)# ip http authentication aaa 1. What options are available with the ip http? help command? 4-7 Network Security 1 v2.0 Lab 6.1.4 Copyright 2005, Cisco Systems, Inc.

Step 4 Configure an Authentication Proxy Complete the following steps to configure authentication proxy: a. Define an authentication proxy rule. RouterP(config)# ip auth-proxy name APRULE http auth-cache-time 5 1. What other protocols can use AAA as an authentication proxy? b. Apply the authentication proxy rule to the inside interface. RouterP(config)# interface fastethernet 0/0 RouterP(config-if)# ip auth-proxy APRULE RouterP(config-if)# ip access-group 101 in RouterP(config-if)# exit c. Apply the ACL to the outside interface. RouterP(config-if)# interface fastethernet 0/1 RouterP(config-if)# ip access-group 102 in Step 5 Test and Verify an Authentication Proxy Complete the following steps to test and verify authentication proxy: a. On the router, use the show access-list command to check the access lists. Fill in the blanks below using the output from this command. RouterP# show access-list 1. Extended IP access list 101 2. Extended IP access list 102 b. Use the show ip auth-proxy configuration command to verify the authorization proxy configuration. Fill in the blanks below using the output from this command. RouterP# show ip auth-proxy configuration 1. Authentication global cache time is minutes 2. Auth-proxy name 3. http list not specified auth-cache-time minutes 5-7 Network Security 1 v2.0 Lab 6.1.4 Copyright 2005, Cisco Systems, Inc.

c. Use the show ip auth-proxy cache command to verify the authorization proxy configuration. RouterP# show ip auth-proxy cache 1. Why is the cache empty? d. From the workstation command prompt, ping the backbone server. C:\> ping 172.26.26.50 Pinging 172.26.26.50 with 32 bytes of data: Reply from 172.26.26.50: bytes=32 time=34ms TTL=125 Reply from 172.26.26.50: bytes=32 time=34ms TTL=125 Reply from 172.26.26.50: bytes=32 time=34ms TTL=125 Reply from 172.26.26.50: bytes=32 time=36ms TTL=125 e. Use the web browser to connect to the backbone web server. f. In the URL field enter http://172.26.26.50. g. Enter the following when the web browser prompts for a username and password. Username: aaauser Password: aaapass h. Use the show access-list command to check the ACLs. Fill in the blanks below using the output from this command. RouterP# show access-list 1. Extended IP access list 101 2. Extended IP access list 102 i. On the router, use the show ip inspect all command to see the CBAC parameters: RouterP# show ip inspect all 6-7 Network Security 1 v2.0 Lab 6.1.4 Copyright 2005, Cisco Systems, Inc.

j. Use the show ip auth-proxy cache command to verify the authorization proxy configuration. Fill in the blank below using the output from this command. RouterP#show ip auth-proxy cache Step 6 Test and Verify Authentication Proxy Complete the following steps to test and verify authentication proxy a second time: a. Use the web browser to connect to the backbone web server. b. In the URL field enter http://172.26.26.50. Note Use a. at the end of the IP address to download a new copy of the web page. Otherwise, the browser may display a cached copy. 1. Was it necessary to authenticate again? Why? c. Use the clear ip auth-proxy cache * command to clear the authorization proxy cache. RouterP# clear ip auth-proxy cache * 1. Why is it necessary to clear the cache? d. Use the show ip auth-proxy cache command to verify the cache has been cleared. RouterP# show ip auth-proxy cache 1. Has the cache been cleared? 7-7 Network Security 1 v2.0 Lab 6.1.4 Copyright 2005, Cisco Systems, Inc.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information