cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
687
Views
0
Helpful
4
Replies

Secure web server access with 2851 router.

briley
Level 1
Level 1

I would like to know if something like this is possible. If not can anyone offer any suggestions on how to do something similar? Here is the setup. I have two IP networks on different VLAN's. The VLAN's are connected to a 2851 which is doing the routing between the different networks and is also the default gateway. On one of these subnets is the data network 192.168.1.x and the other is a “server” network of 172.16.1.x that has an application the users will connect to. The application on the PC's uses a few different ports, about 10, which I am just going to allow access to those ports to the servers and deny everything else with an access list. The users also do administration work using HTTPS to this same web server. What I want to be able to do is deny HTTPS traffic to the server unless the users are authenticated somehow. I would like the user to open HTTPS://172.16.0.100 and the router intercept the URL string and prompt the user to authenticate. Then if the authentication is successful build an access list to allow the HTTPS traffic to the server. After an inactivity period the router would close the access to the server network. I would like the authentication to happen centrally using Radius and HTTPS. Does anyone have any suggestions?

4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

Hi

Have a look at this link which gives an example of how to get your router to do HTTPS authentication. You would need the IOS firewall feature set on your 2800 router.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/products_feature_guide09186a0080146562.html

HTH

Jon

I have the firewall feature set on the router. I will give this a try.

I actually think Lock-and-Key Security (Dynamic Access Lists) is what I need but the only thing I don't like about it is that I need to put my username and password in via telnet. Is there anyway to do this via ssh or some other https session on the router?

Does anyone know of a way to configure the authentication to not use a telnet session? I can't use this if I have to use telnet for authentication.