https://community.cisco.com/t5/network-access-control/newbie-with-auth-proxy/m-p/334603#M429326 <HTML><HEAD></HEAD><BODY><P>Auth-proxy will authenticate the user only via HTTP, before they can send ANY traffic out. Going by your description this is not what you want.</P><P></P><P>Lock-and-Key might be more what you want. See here for details:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scflock.htm" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scflock.htm</A></P><P></P><P>You could define an ACL to the inside interface allowing everything EXCEPT HTTP/HTTPS. Users doing FTP can just go straight out as normal then. Then define dynamic entries to this ACL that allow all traffic. For anyone to go out with HTTP/HTTPS they'd have to telnet to the router first, put in their login credentials, then they can browse out. Something like the following should work for you:</P><P><B></B></P><P>interface ethernet0</P><P> description Inside interface</P><P> ip address 10.1.1.1 255.255.255.0</P><P> ip access-group 101 in</P><P></P><P></P><P>access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 80</P><P>access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 443</P><P>access-list 101 permit ip 10.1.1.0 0.0.0.255 any</P><P>access-list 101 dynamic mytestlist timeout 120 permit ip any any</P><P></P><P></P><P>line vty 0 4</P><P>login local</P><P>autocommand access-enable host timeout 5</P><P></P><P></P><P>It takes a bit of user education in that they will have to be told how to use this (first telnet to the router at 10.1.1.1, login, then you can use HTTP traffic outbound), but should give you what you want. </P><P></P><P></P></BODY></HTML> Wed, 13 Apr 2005 05:10:07 GMT gfullage 2005-04-13T05:10:07Z https://community.cisco.com/t5/network-access-control/newbie-with-auth-proxy/m-p/334602#M429325 <P>Hi,</P><P>I need to allow and deny some user to go to the Internet, but I want to allow/deny only for http traffic.</P><P>For exemple I dont want any user to have to authenticate if they want to use ftp.</P><P>Is it possible with the auth-proxy? if yes any configuration exemple?</P><P></P><P>In the exemple I saw, the user had to authenticate to then allow his computer to send any packet to the Internet. </P><P></P><P>Thanks for your help.</P><P></P><P>Cheers Gael</P> Sun, 10 Mar 2019 21:06:30 GMT https://community.cisco.com/t5/network-access-control/newbie-with-auth-proxy/m-p/334602#M429325 gael.clavadetscher 2019-03-10T21:06:30Z https://community.cisco.com/t5/network-access-control/newbie-with-auth-proxy/m-p/334603#M429326 <HTML><HEAD></HEAD><BODY><P>Auth-proxy will authenticate the user only via HTTP, before they can send ANY traffic out. Going by your description this is not what you want.</P><P></P><P>Lock-and-Key might be more what you want. See here for details:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scflock.htm" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scflock.htm</A></P><P></P><P>You could define an ACL to the inside interface allowing everything EXCEPT HTTP/HTTPS. Users doing FTP can just go straight out as normal then. Then define dynamic entries to this ACL that allow all traffic. For anyone to go out with HTTP/HTTPS they'd have to telnet to the router first, put in their login credentials, then they can browse out. Something like the following should work for you:</P><P><B></B></P><P>interface ethernet0</P><P> description Inside interface</P><P> ip address 10.1.1.1 255.255.255.0</P><P> ip access-group 101 in</P><P></P><P></P><P>access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 80</P><P>access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 443</P><P>access-list 101 permit ip 10.1.1.0 0.0.0.255 any</P><P>access-list 101 dynamic mytestlist timeout 120 permit ip any any</P><P></P><P></P><P>line vty 0 4</P><P>login local</P><P>autocommand access-enable host timeout 5</P><P></P><P></P><P>It takes a bit of user education in that they will have to be told how to use this (first telnet to the router at 10.1.1.1, login, then you can use HTTP traffic outbound), but should give you what you want. </P><P></P><P></P></BODY></HTML> Wed, 13 Apr 2005 05:10:07 GMT https://community.cisco.com/t5/network-access-control/newbie-with-auth-proxy/m-p/334603#M429326 gfullage 2005-04-13T05:10:07Z