Cisco Cisco IOS Software Release 12.4(15)T
Consent Feature for Cisco IOS Routers
Prerequisites for Consent Feature for Cisco IOS Routers
2
Cisco IOS Release 12.4(15)T
Prerequisites for Consent Feature for Cisco IOS Routers
To enable a consent webpage, you must be running an Advanced Enterprise image.
Information About Consent Feature for Cisco IOS Routers
Before enabling the consent feature for Cisco IOS routers, you should understand the following
concepts:
concepts:
•
•
Authentication Proxy Overview
Authentication proxy is an ingress authentication feature that grants access to an end user (out an
interface) only if the user submits valid username and password credentials for an ingress traffic that is
destined for HTTP, Telnet, or FTP protocols. After the submitted authentication credentials have been
checked against the credentials that are configured on an Authentication, Authorization, Accounting
(AAA) server, access is granted to the requester (source IP address).
interface) only if the user submits valid username and password credentials for an ingress traffic that is
destined for HTTP, Telnet, or FTP protocols. After the submitted authentication credentials have been
checked against the credentials that are configured on an Authentication, Authorization, Accounting
(AAA) server, access is granted to the requester (source IP address).
When an end user posts an HTTP(S), FTP, or Telnet request on a router’s authentication-proxy-enabled
ingress interface, the Network Authenticating Device (NAD) verifies whether or not the same host has
already been authenticated. If a session is already present, the ingress request is not authenticated again,
and it is subjected to the dynamic (Auth-Proxy) ACEs and the ingress interface ACEs. If an entry is not
present, the authentication proxy responds to the ingress connection request by prompting the user for a
valid username and password. When authenticated, the Network Access Profiles (NAPs) that are to be
applied are either downloaded from the AAA server or taken from the locally configured profiles.
ingress interface, the Network Authenticating Device (NAD) verifies whether or not the same host has
already been authenticated. If a session is already present, the ingress request is not authenticated again,
and it is subjected to the dynamic (Auth-Proxy) ACEs and the ingress interface ACEs. If an entry is not
present, the authentication proxy responds to the ingress connection request by prompting the user for a
valid username and password. When authenticated, the Network Access Profiles (NAPs) that are to be
applied are either downloaded from the AAA server or taken from the locally configured profiles.
An Integrated Consent–Authentication Proxy Webpage
The HTTP authentication proxy webpage has been extended to support radio buttons—“Accept” and
“Don’t Accept”—for the consent webpage feature. The consent webpage radio buttons are followed by
the authentication proxy input fields for a username and a password. (See
“Don’t Accept”—for the consent webpage feature. The consent webpage radio buttons are followed by
the authentication proxy input fields for a username and a password. (See
.)
The following consent scenarios are possible:
•
If consent is declined (that is, the “Don’t Accept” radio button is selected), the authentication proxy
radio buttons are disabled. The ingress client session’s access will be governed by the default ingress
interface ACL.
radio buttons are disabled. The ingress client session’s access will be governed by the default ingress
interface ACL.
•
If consent is accepted (that is, the “Accept” radio button is selected), the authentication proxy radio
buttons are enabled. If the wrong username and password credentials are entered, HTTP-Auth-Proxy
authentication will fail. The ingress client session’s access will again be governed only by the
default ingress interface ACL.
buttons are enabled. If the wrong username and password credentials are entered, HTTP-Auth-Proxy
authentication will fail. The ingress client session’s access will again be governed only by the
default ingress interface ACL.
•
If consent is accepted (that is, the “Accept” radio button is selected) and valid username and
password credentials are entered, HTTP-Auth-Proxy authentication is successful. Thus, one of the
following possibilities can occur:
password credentials are entered, HTTP-Auth-Proxy authentication is successful. Thus, one of the
following possibilities can occur:
–
If the ingress client session’s access request is HTTP_GET, the destination webpage will open
and the ingress client session’s access will be governed by the default ingress interface ACL and
the dynamic (Auth-Proxy) ACEs.
and the ingress client session’s access will be governed by the default ingress interface ACL and
the dynamic (Auth-Proxy) ACEs.