hmmm Piotr The relevant ACS log when http authentication fails ( when i use auth-proxy with protocol IP, which works for telnet but not http) as as follows
Message-Type Author-Failure-Code Author-Data Author failed Service denied service=auth-proxy cmd* And Tyson Does it mean its a known issue without a workaround? And nothing can be done? Regards On Mon, Mar 15, 2010 at 5:01 PM, Tyson Scott <[email protected]> wrote: > Badar, > > > > I have seen this issue as well. Most likely they are not going to ask you > something that doesn't work. As you have already tested RADIUS is an > option. > > > > Luckily you are already aware of the issue so it is always a good way to > show the proctor you know what you are talking about. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Technical Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, > Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service > Provider) Certification Training with locations throughout the United > States, Europe and Australia. Be sure to check out our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Piotr Kaluzny > *Sent:* Monday, March 15, 2010 9:28 AM > *To:* Kingsley Charles > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] Auth Proxy Telnet Vs http confusion > > > > Badar, > > What are the ACS logs saying about this? > > Regards, > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > > On Mon, Mar 15, 2010 at 2:19 PM, Kingsley Charles < > [email protected]> wrote: > > Did you try confguring one service with just auth-proxy and another one > with both auth-proxy and ip protocol. > > > > With regards > > Kin > > > > > > > On Mon, Mar 15, 2010 at 6:43 PM, Badar Farooq <[email protected]> > wrote: > > Well > HTTP proxy sends the following > > *Mar 1 00:13:45.399: FastEthernet0/1 AAA/AUTHOR/HTTP(3860994093): send AV > service=auth-proxy > *Mar 1 00:13:45.403: FastEthernet0/1 AAA/AUTHOR/HTTP(3860994093): *send > AV cmd** > *Mar 1 00:13:45.415: AAA/AUTHOR/TAC+: (3860994093): send AV > service=auth-proxy > *Mar 1 00:13:45.415: AAA/AUTHOR/TAC+: (3860994093): send AV cmd* > > > and Telnet > > *Mar 1 00:17:04.931: TPLUS: Sending AV service=auth-proxy > *Mar 1 00:17:04.931: TPLUS: Sending AV protocol=ip > > So when I have IP protocol with auth proxy, my http authentication fails, > but telnet works. > > All right, thats understandable but still, If we are asked to have an HTTP > as well as telnet proxy, what would we do ? > > And why is there this difference between telnet and http proxies and is > there a workaround? > > > Regards > > > > On Mon, Mar 15, 2010 at 3:41 PM, Kingsley Charles < > [email protected]> wrote: > > Hi Badar > > > > Turn on "debug tacacs" and you can see the AV attirbute that the IOS router > is sending the ACS. Based on this only, you configure the "New servcies". > > > > > > What are the request attribute sent for telnet proxy and http proxy with > debug tacacs. > > > > > > With regards > > Kings > > On Mon, Mar 15, 2010 at 2:41 PM, Badar Farooq <[email protected]> > wrote: > > I did some more research. Using radius, the issue doesnt happen. > I tested cisco av pairs > > auth-proxy:priv-lvl=15 > auth-proxy:proxyacl#1=permit ip any any > > as well as > > shell:priv-lvl=15 > shell:proxyacl#1=permit ip any any > > and http and telnet both works fine. > With Tacacs though, I am still having the issue. > > To recount, the issue is , if in services, while adding auth-proxy, if > protocol ip is added, http proxy doesnt work and telnet proxy works, and if > protocol field is left blank, http proxy works and telnet doesnt. > > Waiting for a feedback from you guys:) > > Regards > > > > On Mon, Mar 15, 2010 at 11:22 AM, Badar Farooq <[email protected]> > wrote: > > I am having a strange issue. > Using Auth proxy with tacacs+, if I use service auth-proxy without > mentioning the protocol, http proxy works fine. But telnet proxy doesnt > work. > Similarly, I enable auth-proxy with ip protocol, telnet proxy works fine > but http proxy doesnt work. > > Ironically, If i add two proxy services, auth-proxy with protocol ip and > then without it, even then one of the two works are any given time. > > I dont understand it. Looking forward to some feedback... > > Regards > Badar > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > -- > Piotr Kaluzny > CCIE #25665 (Security), CCSP, CCNP > Sr. Support Engineer - IPexpert, Inc. > URL: http://www.IPexpert.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
