topic Re: ip admission auth-proxy in Network Security

ip admission auth-proxy

Dan Ricks — Mon, 11 Mar 2019 20:41:01 GMT

Platform: 881W

IOS: C880-DATA-UNIVERSALK9-M 15.0(1)M3

License: I have tried both advsecurity and advipservices

Problem: Configuring an auth-proxy redirect on seccessful authentication

Cisco's documentation states that when you are configuring auth-proxy, you may specify a url in which the clients will be redirected to when successfully authenticated. The command is:

ip admission proxy http success redirect <url-string>

However, the command does not seem to exist on many of the latter IOS versions. I am also unable to find any documentation with alternate methods of sending a redirection to the client after a successful authentication. Is this command depricated? Is there a more efficient method of redirecting?

Documentation I am using:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swwebauth.html#wp1103789

Thank you,

Dan

Re: ip admission auth-proxy

Kureli Sankar — Wed, 01 Jun 2011 19:50:22 GMT

Is this what you are trying to do?

https://supportforums.cisco.com/docs/DOC-15682/

-KS

Re: ip admission auth-proxy

Dan Ricks — Wed, 01 Jun 2011 21:07:55 GMT

Thank you for the reply, and for the documentation.

I already have the auth-proxy + tacacs server up and running. The user is able to authenticate without issues and the dynamic acl is applied. So there is no problem there.

The issue I am having is when a user successfully authenticates; along with the the default page that says "Authentication Successful", I would like them to be redirected to another page. Old IOS versions allowed you to specify a redirect page on a successful authentication. On the newer IOS code however, there is no such command.

The link you provided is an outstanding documentation source, but does not include code for that redirect I am looking for. I am wondering if Cisco decided that a redirect is no longer necessary.

Thanks

Re: ip admission auth-proxy

Kureli Sankar — Thu, 02 Jun 2011 11:28:16 GMT

Dan,

I do see the command in 15.x code command reference. The syntax seems slightly changed.

http://www.cisco.com/en/US/partner/docs/ios/security/command/reference/sec_i1.html#wp1043347

The following example shows how to configure custom authentication proxy web pages:

Router(config)# ip admission proxy http login page file disk1:login.htm

Router(config)# ip admission proxy http success page file disk1:success.htm

Router(config)# ip admission proxy http fail page file disk1:fail.htm

Router(config)# ip admission proxy http login expired page file disk1:expired.htm 

-KS

Re: ip admission auth-proxy

Dan Ricks — Thu, 02 Jun 2011 20:50:22 GMT

This is what I see when I type ip admission ?

Seems like its missing the 'ip admission proxy' command.

CISCO-881W-TOP(config)#ip admission ?
absolute-timer                  Absolute Timeout in minutes
auth-proxy-audit               Authentication Proxy Auditing
auth-proxy-banner            Authentication Proxy Banner
consent-banner                Consent Banner
event                                Event to be associated with the policy
http                                   Configure maximum HTTP process
inactivity-timer                  Inactivity Timeout in minutes
init-state-timer                  Init State Timeout in minutes
max-login-attempts          Max Login attempts per user
max-nodata-conns           Max TCP NODATA Connections
name                                Specify an Authentication/Admission Rule
ratelimit                            Session Ratelimit
service-policy                   Service Policy
source-interface               IP Admission Source Interface
watch-list                          Watch-list

CISCO-881W-TOP(config)#ip admission

Re: ip admission auth-proxy

Kureli Sankar — Mon, 06 Jun 2011 13:13:24 GMT

As I understand this is not supported in the "T" train but, only on the CAT switches.

I tried 12.4(24)T3 and it wasn't available there either so, I reached out to our IOS team and found the above.

-KS

ip admission auth-proxy

Dan Ricks — Mon, 06 Jun 2011 14:35:55 GMT

I see. That would explain things. Thank you for your time and efforts in helping me uncover the information I needed to find. Thank you.

ip admission auth-proxy

Gerard Roy — Wed, 04 Apr 2012 23:31:39 GMT

Hello,

Can anyone here help me call a URL that has an image into my consent page?

I have an html page in the flash of the router called consent_page.html Here are two diffent methods I am using to attempt to get the logo to show up in the consent page. Any ideas how to make this part work? Everything else works.

http://www.officemax.com"> SRC="/logo.gif" ALT="Company" WIDTH=246 HEIGHT=48>
http://www.officemax.com"> SRC="http://www.officemax.com/images//header/logo.png" ALT="OfficeMax" WIDTH=246 HEIGHT=48>

Warning!

The web site you have tried to access may not conform to the company's Acceptable Usage Policy

If you want to continue to this website click the "Accept" button below to proceed which will give you temporary access to this website. Please note that all web access is monitored.

Free Internet Hotspot

Terms of Service Agreement

Company provides free Internet access under the condition that you agree to abide by the restrictions below.

Responsibility of Use

You are responsible for all content distributed, accessed, or viewed while connected to this service. Company is not liable for your actions while using this service.

Limitation of Liability

Company is not liable for any damages which result from your use of this service.