Badar,
I have seen this issue as well. Most likely they are not going to ask you something that doesn't work. As you have already tested RADIUS is an option. Luckily you are already aware of the issue so it is always a good way to show the proctor you know what you are talking about. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Piotr Kaluzny Sent: Monday, March 15, 2010 9:28 AM To: Kingsley Charles Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Auth Proxy Telnet Vs http confusion Badar, What are the ACS logs saying about this? Regards, -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Mon, Mar 15, 2010 at 2:19 PM, Kingsley Charles <[email protected]> wrote: Did you try confguring one service with just auth-proxy and another one with both auth-proxy and ip protocol. With regards Kin On Mon, Mar 15, 2010 at 6:43 PM, Badar Farooq <[email protected]> wrote: Well HTTP proxy sends the following *Mar 1 00:13:45.399: FastEthernet0/1 AAA/AUTHOR/HTTP(3860994093): send AV service=auth-proxy *Mar 1 00:13:45.403: FastEthernet0/1 AAA/AUTHOR/HTTP(3860994093): send AV cmd* *Mar 1 00:13:45.415: AAA/AUTHOR/TAC+: (3860994093): send AV service=auth-proxy *Mar 1 00:13:45.415: AAA/AUTHOR/TAC+: (3860994093): send AV cmd* and Telnet *Mar 1 00:17:04.931: TPLUS: Sending AV service=auth-proxy *Mar 1 00:17:04.931: TPLUS: Sending AV protocol=ip So when I have IP protocol with auth proxy, my http authentication fails, but telnet works. All right, thats understandable but still, If we are asked to have an HTTP as well as telnet proxy, what would we do ? And why is there this difference between telnet and http proxies and is there a workaround? Regards On Mon, Mar 15, 2010 at 3:41 PM, Kingsley Charles <[email protected]> wrote: Hi Badar Turn on "debug tacacs" and you can see the AV attirbute that the IOS router is sending the ACS. Based on this only, you configure the "New servcies". What are the request attribute sent for telnet proxy and http proxy with debug tacacs. With regards Kings On Mon, Mar 15, 2010 at 2:41 PM, Badar Farooq <[email protected]> wrote: I did some more research. Using radius, the issue doesnt happen. I tested cisco av pairs auth-proxy:priv-lvl=15 auth-proxy:proxyacl#1=permit ip any any as well as shell:priv-lvl=15 shell:proxyacl#1=permit ip any any and http and telnet both works fine. With Tacacs though, I am still having the issue. To recount, the issue is , if in services, while adding auth-proxy, if protocol ip is added, http proxy doesnt work and telnet proxy works, and if protocol field is left blank, http proxy works and telnet doesnt. Waiting for a feedback from you guys:) Regards On Mon, Mar 15, 2010 at 11:22 AM, Badar Farooq <[email protected]> wrote: I am having a strange issue. Using Auth proxy with tacacs+, if I use service auth-proxy without mentioning the protocol, http proxy works fine. But telnet proxy doesnt work. Similarly, I enable auth-proxy with ip protocol, telnet proxy works fine but http proxy doesnt work. Ironically, If i add two proxy services, auth-proxy with protocol ip and then without it, even then one of the two works are any given time. I dont understand it. Looking forward to some feedback... Regards Badar _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com -- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
