Simple Cisco IOS HTTP authentication proxy HOW TO

Hi,

I'm looking to implement a simple HTTP proxy during certain hours on a Cisco 800 series SOHO router.  Basically the idea is during the hours of 11PM until 6AM the proxy will be in effect.  If any of the users on the network try to browse during that time they will be prompted with a username and password screen.  There only needs to be one username/password which would be stored locally on the router (no RADIUS or TACACS wanted).  If the username/password combo is entered during that time frame, the user can browse, otherwise they are denied.  During all other hours, everyone can browse.  The documentation I've found doesn't seem to give a straight-forward way to implement this.  Additionally, I'm not sure how to implement the time-frame--probably directly on the access-list but I'm needing some help getting there.

Thanks!

lighthousekeeperAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Istvan KalmarConnect With a Mentor Head of IT Security Division Commented:
Hi,

It name is authentication proxy:

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/iosfw2_1.html

you able to use local database...
I advise to use script to enable  hours of 11PM until 6AM

Best regards,
Istvan
0
 
Vito_CorleoneCommented:
You want the router to BE the proxy or just forward to it? Here's a sample of how to forward traffic to the proxy with policy routing:

!
track 123 rtr 10 reachability
!
!
interface Vlan15
 ip address 192.168.15.1 255.255.255.0
 ip nat inside
 ip policy route-map PROXY_REDIRECT
!
!
ip access-list extended PROXY_REDIRECT
 deny   tcp any any neq www
 deny   tcp host 192.168.10.51 any
 permit tcp host 192.168.15.26 any time-range WORK_DAY
 deny   ip any any
!
!
ip sla 10
 icmp-echo 192.168.10.51
ip sla schedule 10 life forever start-time now
!
!
!
route-map PROXY_REDIRECT permit 10
 match ip address PROXY_REDIRECT
 set ip next-hop verify-availability 192.168.10.51 10 track 123
!
!
time-range WORK_DAY
 periodic weekdays 8:00 to 17:30
!
!

This tracks the reach-ability of the proxy (I was using a Squid server in this case), if the proxy is up it will forward HTTP traffic to it. If the proxy is down it will forward the traffic normally. This is  uses a time range for 8-5:30.
0
 
lighthousekeeperAuthor Commented:
I want the router to also BE the proxy--the code snippet that you posted is helpful.  However I'm looking to simply have the IOS present a username/password web page during off hours.  If the user is able to enter the correct user/pass combo then they are grated access to browse the web otherwise they are stuck with the proxy page and can't browse.  Maybe proxy isn't the right method or terminology that I am using but that is the only functionality which seemed may do the trick with IOS.

Is that clear and is this possible with IOS only?

Thanks.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Vito_CorleoneCommented:
IOS doesn't act as a proxy. The closest thing I can think of to what you want is a Lock and Key ACL, the users would telnet to the router with a user/pass allowing them access to something (the internet, in your case) for a specified period of time. You could probably script something like this, but setting up a Squid proxy or maybe some type of captive portal (3rd party software).
0
 
lighthousekeeperAuthor Commented:
That is what I am looking at doing.  Does anyone have some sample code for this example?

Thanks.
0
 
Istvan KalmarConnect With a Mentor Head of IT Security Division Commented:
0
 
bsohn417Commented:
are you using any proxy server?
does u r web cache understand WCCP
you can implement WCCP on the router.
0
All Courses

From novice to tech pro — start learning today.