Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Local AAA Server and Auth Proxy

Hi *,


I have a little theoretical question. I own some internal Servers which are currently opened to the internet with an ACL and over NAT Ports. Normally this is not a problem, as the servers are secured by strong authentication mechanisms.


But what I would like to achieve is the following Scenario:

Mobile Phone (has a Certificate) -(*:443)-> Cisco 892SFP Router -(*:8080)-> Webserver (Only Plain Authentication) 

In other words: Only allow access to this internal Website, when the client authenticated successfully at the router with a valid certificate. And then the Webserver only prompts for username and password (2 Factors).


My First idea: 

Cisco Auth Proxy to allow incoming traffic on port 443 only after certificate based authentication.


The Problem:

I do not have a radius or tacacs+ server running anywhere and I am not able to setup one for the future. So I searched if a local radius server would be possible. And I found this one: Click me 


My Question:

Is that a good idea/ Bad Idea and why? Are there other possibilities? When trying my Idea, how should I configure the local aaa server to allow access on port 443 when authenticated (short snippet would be great).


Thanks for any help.

Francesco Molino
VIP Mentor



It's been a while i didn't play with auth-proxy.

I used that for internal users to authenticate their selves before accessing internet or to authenticate users from vpn to access some servers. 

Here a doc from Cisco:


The link you pasted is how to assign aaa attributes on local user and it works great. I use this essentially for vpn access on routers to assign few attributes.


Now combining both for outside authentication using certificate, it should work but i would need to test it before.


You said you're not able to deploy any radius or tacacs, is it due to budget issue? Because you can have open source tacacs out radius server, that are easy to deploy.


If you want to give access to these servers only for authenticated users, why not doing any vpn connection or webvpn. With webvpn, you can achieve the same thing and add the server url on the web portal for authenticated users.

Here a link on how to do it on routers:


Right now, i can't do any lab but as soon as i've finished my customer POC, i would be able to spend some time in testing your idea, unless someone else on the forum had already implemented such solution.

But again, based on your use-case, I'll move to webvpn or ipsec vpn solution. At the end, for users it's a step for authentication, no matter how they do it. With webvpn, no tool to deploy.


PS: Please don't forget to rate and select as validated answer if this answered your question

In other words, this function is not intended for my use case, correct? My intent is to protect an Exchange Server ActiveSync and OWA by an additional System which requests Certificate Based Authentication (CBA). Most Active Sync Clients are capable of using client Certificates and this is the reason why I would like to have this functionality. 


As I understand WebVPN, I need to go to a portal first, download a Java Applet and then I can browse internal servers. I think my requirement is, that Cisco acts like a HTTPS Proxy and only allows CBA authenticated users. This feature I am missing somehow :D 


Does that make sense? Is there an alternative for doing this use case?


Thanks very much...

With Webvpn, you can add your exchange owa link into bookmark section, no need to force a user to download anyconnect.
We use auth-proxy to do http/https proxy by interception http request from lan side. I never did it by using the wan side (no use case for that) but you can try. There's a Cisco doc you can use
to do that:

I would probably do a lab later.

PS: Please don't forget to rate and select as validated answer if this answered your question
Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube