Badar, What are the ACS logs saying about this?
Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Mon, Mar 15, 2010 at 2:19 PM, Kingsley Charles < kingsley.char...@gmail.com> wrote: > Did you try confguring one service with just auth-proxy and another one > with both auth-proxy and ip protocol. > > With regards > Kin > > > > On Mon, Mar 15, 2010 at 6:43 PM, Badar Farooq <badarfar...@gmail.com>wrote: > >> Well >> HTTP proxy sends the following >> >> *Mar 1 00:13:45.399: FastEthernet0/1 AAA/AUTHOR/HTTP(3860994093): send AV >> service=auth-proxy >> *Mar 1 00:13:45.403: FastEthernet0/1 AAA/AUTHOR/HTTP(3860994093): *send >> AV cmd** >> *Mar 1 00:13:45.415: AAA/AUTHOR/TAC+: (3860994093): send AV >> service=auth-proxy >> *Mar 1 00:13:45.415: AAA/AUTHOR/TAC+: (3860994093): send AV cmd* >> >> >> and Telnet >> >> *Mar 1 00:17:04.931: TPLUS: Sending AV service=auth-proxy >> *Mar 1 00:17:04.931: TPLUS: Sending AV protocol=ip >> >> So when I have IP protocol with auth proxy, my http authentication fails, >> but telnet works. >> >> All right, thats understandable but still, If we are asked to have an HTTP >> as well as telnet proxy, what would we do ? >> >> And why is there this difference between telnet and http proxies and is >> there a workaround? >> >> >> Regards >> >> >> On Mon, Mar 15, 2010 at 3:41 PM, Kingsley Charles < >> kingsley.char...@gmail.com> wrote: >> >>> Hi Badar >>> >>> <http://images.google.co.in/imgres?imgurl=http://thumbnails.lightreading.com/thumbnails/lr_307355_633734532327504718.jpg&imgrefurl=http://www.lightreading.com/document.asp%3Fdoc_id%3D173949&usg=__zh-_pX9DLl658LWP3_A-JKBEORg=&h=100&w=100&sz=4&hl=en&start=82&sig2=LMRE7t1eIq-0RXraBNhKaQ&itbs=1&tbnid=wYeb6xDlY5goEM:&tbnh=82&tbnw=82&prev=/images%3Fq%3Dvadivelu%26start%3D63%26hl%3Den%26sa%3DN%26gbv%3D2%26ndsp%3D21%26tbs%3Disch:1&ei=WCWeS96mD4GmrQetn8GOBA>Turn >>> on "debug tacacs" and you can see the AV attirbute that the IOS router is >>> sending the ACS. Based on this only, you configure the "New servcies". >>> >>> >>> What are the request attribute sent for telnet proxy and http proxy with >>> debug tacacs. >>> >>> >>> With regards >>> Kings >>> >>> On Mon, Mar 15, 2010 at 2:41 PM, Badar Farooq >>> <badarfar...@gmail.com>wrote: >>> >>>> I did some more research. Using radius, the issue doesnt happen. >>>> I tested cisco av pairs >>>> >>>> auth-proxy:priv-lvl=15 >>>> auth-proxy:proxyacl#1=permit ip any any >>>> >>>> as well as >>>> >>>> shell:priv-lvl=15 >>>> shell:proxyacl#1=permit ip any any >>>> >>>> and http and telnet both works fine. >>>> With Tacacs though, I am still having the issue. >>>> >>>> To recount, the issue is , if in services, while adding auth-proxy, if >>>> protocol ip is added, http proxy doesnt work and telnet proxy works, and if >>>> protocol field is left blank, http proxy works and telnet doesnt. >>>> >>>> Waiting for a feedback from you guys:) >>>> >>>> Regards >>>> >>>> >>>> >>>> On Mon, Mar 15, 2010 at 11:22 AM, Badar Farooq >>>> <badarfar...@gmail.com>wrote: >>>> >>>>> I am having a strange issue. >>>>> Using Auth proxy with tacacs+, if I use service auth-proxy without >>>>> mentioning the protocol, http proxy works fine. But telnet proxy doesnt >>>>> work. >>>>> Similarly, I enable auth-proxy with ip protocol, telnet proxy works >>>>> fine but http proxy doesnt work. >>>>> >>>>> Ironically, If i add two proxy services, auth-proxy with protocol ip >>>>> and then without it, even then one of the two works are any given time. >>>>> >>>>> I dont understand it. Looking forward to some feedback... >>>>> >>>>> Regards >>>>> Badar >>>>> >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> >>> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com