Brad, Yes, this is exactly what I ran into as well. Not sure if I could get working both - HTTP and Telnet but it seems that Tyson is right. You are now aware of it, would not expect to see it in the lab.
-- Piotr Kaluzny CCIE #25665 (Security), CCSP, CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com On Mon, Mar 15, 2010 at 3:17 PM, Badar Farooq <badarfar...@gmail.com> wrote: > hmmm > Piotr > The relevant ACS log when http authentication fails ( when i use auth-proxy > with protocol IP, which works for telnet but not http) as as follows > > Message-Type Author-Failure-Code Author-Data Author failed Service > denied service=auth-proxy cmd* > And Tyson > Does it mean its a known issue without a workaround? And nothing can be > done? > > Regards > > > On Mon, Mar 15, 2010 at 5:01 PM, Tyson Scott <tsc...@ipexpert.com> wrote: > >> Badar, >> >> >> >> I have seen this issue as well. Most likely they are not going to ask you >> something that doesn't work. As you have already tested RADIUS is an >> option. >> >> >> >> Luckily you are already aware of the issue so it is always a good way to >> show the proctor you know what you are talking about. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: tsc...@ipexpert.com >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & >> Service Provider) Certification Training with locations throughout the >> United States, Europe and Australia. Be sure to check out our online >> communities at www.ipexpert.com/communities and our public website at >> www.ipexpert.com >> >> >> >> *From:* ccie_security-boun...@onlinestudylist.com [mailto: >> ccie_security-boun...@onlinestudylist.com] *On Behalf Of *Piotr Kaluzny >> *Sent:* Monday, March 15, 2010 9:28 AM >> *To:* Kingsley Charles >> *Cc:* ccie_security@onlinestudylist.com >> *Subject:* Re: [OSL | CCIE_Security] Auth Proxy Telnet Vs http confusion >> >> >> >> Badar, >> >> What are the ACS logs saying about this? >> >> Regards, >> -- >> Piotr Kaluzny >> CCIE #25665 (Security), CCSP, CCNP >> Sr. Support Engineer - IPexpert, Inc. >> URL: http://www.IPexpert.com >> >> On Mon, Mar 15, 2010 at 2:19 PM, Kingsley Charles < >> kingsley.char...@gmail.com> wrote: >> >> Did you try confguring one service with just auth-proxy and another one >> with both auth-proxy and ip protocol. >> >> >> >> With regards >> >> Kin >> >> >> >> >> >> >> On Mon, Mar 15, 2010 at 6:43 PM, Badar Farooq <badarfar...@gmail.com> >> wrote: >> >> Well >> HTTP proxy sends the following >> >> *Mar 1 00:13:45.399: FastEthernet0/1 AAA/AUTHOR/HTTP(3860994093): send AV >> service=auth-proxy >> *Mar 1 00:13:45.403: FastEthernet0/1 AAA/AUTHOR/HTTP(3860994093): *send >> AV cmd** >> *Mar 1 00:13:45.415: AAA/AUTHOR/TAC+: (3860994093): send AV >> service=auth-proxy >> *Mar 1 00:13:45.415: AAA/AUTHOR/TAC+: (3860994093): send AV cmd* >> >> >> and Telnet >> >> *Mar 1 00:17:04.931: TPLUS: Sending AV service=auth-proxy >> *Mar 1 00:17:04.931: TPLUS: Sending AV protocol=ip >> >> So when I have IP protocol with auth proxy, my http authentication fails, >> but telnet works. >> >> All right, thats understandable but still, If we are asked to have an HTTP >> as well as telnet proxy, what would we do ? >> >> And why is there this difference between telnet and http proxies and is >> there a workaround? >> >> >> Regards >> >> >> >> On Mon, Mar 15, 2010 at 3:41 PM, Kingsley Charles < >> kingsley.char...@gmail.com> wrote: >> >> Hi Badar >> >> >> >> Turn on "debug tacacs" and you can see the AV attirbute that the IOS >> router is sending the ACS. Based on this only, you configure the "New >> servcies". >> >> >> >> >> >> What are the request attribute sent for telnet proxy and http proxy with >> debug tacacs. >> >> >> >> >> >> With regards >> >> Kings >> >> On Mon, Mar 15, 2010 at 2:41 PM, Badar Farooq <badarfar...@gmail.com> >> wrote: >> >> I did some more research. Using radius, the issue doesnt happen. >> I tested cisco av pairs >> >> auth-proxy:priv-lvl=15 >> auth-proxy:proxyacl#1=permit ip any any >> >> as well as >> >> shell:priv-lvl=15 >> shell:proxyacl#1=permit ip any any >> >> and http and telnet both works fine. >> With Tacacs though, I am still having the issue. >> >> To recount, the issue is , if in services, while adding auth-proxy, if >> protocol ip is added, http proxy doesnt work and telnet proxy works, and if >> protocol field is left blank, http proxy works and telnet doesnt. >> >> Waiting for a feedback from you guys:) >> >> Regards >> >> >> >> On Mon, Mar 15, 2010 at 11:22 AM, Badar Farooq <badarfar...@gmail.com> >> wrote: >> >> I am having a strange issue. >> Using Auth proxy with tacacs+, if I use service auth-proxy without >> mentioning the protocol, http proxy works fine. But telnet proxy doesnt >> work. >> Similarly, I enable auth-proxy with ip protocol, telnet proxy works fine >> but http proxy doesnt work. >> >> Ironically, If i add two proxy services, auth-proxy with protocol ip and >> then without it, even then one of the two works are any given time. >> >> I dont understand it. Looking forward to some feedback... >> >> Regards >> Badar >> >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> >> >> >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> >> >> -- >> Piotr Kaluzny >> CCIE #25665 (Security), CCSP, CCNP >> Sr. Support Engineer - IPexpert, Inc. >> URL: http://www.IPexpert.com >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
