Testing and Verifying Your Configuration |
189 |
Great—now you’ll apply the Authentication Proxy rule to an interface—Fast Ethernet 0/0 on Lab_B:
Lab_B#conf t
Lab_B(config)#int fast0/0
Lab_B(config-if)#ip auth-proxy ?
WORD Name of authenticaion proxy rule
Lab_B(config-if)#ip auth-proxy name toddlock
Lab_B(config-if)#^Z
Lab_B#
You could have used an ACL to control which devices could use the IOS Firewall Authentication Proxy with the command ip auth-proxy name toddlock http list 50 to create an Authentication Proxy rule. The additional list 50 parameter refers to the standard IP access list 50 to determine which source addresses could be authenticated. You didn’t add that in, so in the preceding configuration, all hosts are prompted for authentication. If you want to limit hosts that have the ability to authenticate out, you can do that using this ACL parameter.
Now that you’re through, it’s time to see if everything’s working. After that, you’ll learn about some testing and verification commands.
Testing and Verifying Your Configuration
There are several commands for troubleshooting and validating the operation of the IOS Firewall Authentication Proxy. The syntax of these commands is pretty typical, so if you’ve made it this far in the book, you could probably guess most, if not all, of the commands! But just in case, I’ll briefly explain in this section the show commands, the debug commands, and the commands for clearing the cache.
show Commands
There are three primary show commands that you need to know for checking the contents of the IOS Firewall Authorization Proxy cache, the global configuration parameters, and statistics. Here are some examples demonstrated on the Lab_B router:
Lab_B#show ip auth-proxy cache
Authentication Proxy Cache
Client IP 172.16.1.100 Port 2326, timeout 30, state HTTP_INIT
Lab_B#show ip auth-proxy configuration
Authentication global cache time is 30 minutes
Authentication Proxy Rule Configuration
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
190 Chapter 6 Cisco IOS Firewall Authentication and Intrusion Detection
Auth-proxy name toddlock
http list not specified auth-cache-time 30 minutes
Lab_B#show ip auth-proxy statistics
Authentication Proxy Statistics
proxied client number 1
Lab_B#
debug Commands
The number of debug commands available varies a bit as you change IOS versions. The following is a demonstration of the debug ip auth-proxy function-trace command from the previous example that hit Cisco’s website (represented here by 1.1.1.1):
Lab_B#debug ip auth-proxy ?
function-trace |
Auth-Proxy function trace |
object-creation |
Authentication Proxy object creations |
object-deletion |
Authentication Proxy object deletions |
timers |
Authentication Proxy timer related events |
Lab_B#debug ip auth-proxy function-trace
AUTH-PROXY Function Trace debugging is on
Lab_B#
00:55:43: AUTH-PROXY FUNC: auth_proxy_fast_path 00:55:43: AUTH-PROXY auth_proxy_find_conn_info :
find srcaddr - 172.16.1.100, dstaddr - 1.1.1.1 ip-srcaddr 172.16.1.100
pak-srcaddr 0.0.0.0
00:55:43: AUTH-PROXY FUNC: auth_proxy_process_path 00:55:43: SYN SEQ 537346255 LEN 0
00:55:43: dst_addr 3473868035 src_addr 2886730084 dst_port 80 src_port 2328 00:55:43: AUTH-PROXY auth_proxy_find_conn_info :
find srcaddr - 172.16.1.100, dstaddr - 1.1.1.1 ip-srcaddr 172.16.1.100
pak-srcaddr 0.0.0.0
00:55:43: clientport 2327 state 0
00:55:43: AUTH-PROXY FUNC: auth_proxy_fast_path 00:55:43: AUTH-PROXY auth_proxy_find_conn_info :
find srcaddr - 172.16.1.100, dstaddr - 1.1.1.1
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |