Authentication Proxy


You want the router to separately authenticate and authorize individual users as they access restricted resources.


To enable an IOS-based authentication proxy, use the following commands:

Router1#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authorization auth-proxy default local
Router1(config)#ip auth-proxy auth-proxy-banner http
Router1(config)#ip auth-proxy name HTTPPROXY http
Router1(config)#ip admission auth-proxy-banner http
Router1(config)#interface FastEthernet0/0
Router1(config-if)#ip auth-proxy HTTPPROXY
Router1(config-if)#ip http server
Router1(config)#ip http authentication local


Cisco authentication proxy is an intercepting proxy that requires users to authenticate before being allowed to access resources behind the proxy. Because it operates as an intercepting proxy, it means that placement of the router is vital, since it can only authenticate sessions that transverse the router. Generally, this means that the proxy must be placed at a network choke point, such as the link to the Internet, for instance.

Since Cisco authentication proxy is designed to act as an intercepting proxy, there is no need for end users to configure their browsers to point to the proxy server. The router will automatically intercept all sessions and force the end users to authenticate before they can access resources behind the proxy. The ...

Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.