Stand alone CE http request authentication

doan · ‎03-08-2005

Hi all,

We have CE 7305 with ACNS 5.2.3, running as a standalone web proxy. We would like to configure HTTP request authentication such that only requests from a known source IP address to a known destination IP address need to be authenticated, all other kinds of request will be no-auth. For example:

- source IP 10.10/16, dest www.example.com: authentication needed.

- source any, dest any: no authentication

Has anybody done a similar configuration? I appreciate any helps.

Regards,

A.T Doan

jfoerster · ‎03-08-2005

HI,

as far as I know http authentication is only possible with a radius,tacacs+, ldap or ntlm server.

For the authentication pattern you are trying to achieve do the following next to configuring one of the above mentioned servers:

rule enable

rule action no-auth pattern-list 1

rule pattern-list 1 group-type and

rule pattern-list 1 src-ip 10.10.0.0 255.255.0.0

rule pattern-list 1 domain !www.example.com

Kind Regards,

Joerg

jfoerster · ‎03-08-2005

Hi,

sorry a little logical mistake is my posting and it won't probably exactly coveryour requests but I guess the example gives you an idea what has to be done.

Bad luck that there is not NOT operator for src-ip-addresses so you have to setup a proper logic.

As soon as the result of parsing all pattern-list-lines ends with a false you have to authenticate.

Kind Regards,

Joerg

doan · ‎03-09-2005

Joerg,

Thank you very much for your help. I understand the idea of your example. The key information is the !domain in the URL regex. With the combination of normal router ACL (for the NOT src-ip) and the !domain in Rule Template I could setup the configuration I wanted.

Many thanks again.

A.T Doan