newbie with auth-proxy

gael.clavadetscher · ‎04-12-2005

Hi,

I need to allow and deny some user to go to the Internet, but I want to allow/deny only for http traffic.

For exemple I dont want any user to have to authenticate if they want to use ftp.

Is it possible with the auth-proxy? if yes any configuration exemple?

In the exemple I saw, the user had to authenticate to then allow his computer to send any packet to the Internet.

Thanks for your help.

Cheers Gael

gfullage · ‎04-12-2005

Auth-proxy will authenticate the user only via HTTP, before they can send ANY traffic out. Going by your description this is not what you want.

Lock-and-Key might be more what you want. See here for details:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scflock.htm

You could define an ACL to the inside interface allowing everything EXCEPT HTTP/HTTPS. Users doing FTP can just go straight out as normal then. Then define dynamic entries to this ACL that allow all traffic. For anyone to go out with HTTP/HTTPS they'd have to telnet to the router first, put in their login credentials, then they can browse out. Something like the following should work for you:

interface ethernet0

description Inside interface

ip address 10.1.1.1 255.255.255.0

ip access-group 101 in

access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 80

access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 443

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

access-list 101 dynamic mytestlist timeout 120 permit ip any any

line vty 0 4

login local

autocommand access-enable host timeout 5

It takes a bit of user education in that they will have to be told how to use this (first telnet to the router at 10.1.1.1, login, then you can use HTTP traffic outbound), but should give you what you want.