Hi all, Can I confirm my understanding of CTP / Auth Proxy via your collective wisdom?
1. IOS Auth Proxy: the interface ACL can block all flows even HTTP/Telnet that overlap the auth proxy list. I.e., deny ip any any works Auth Proxy. The auth proxy list takes precedence: redirects the incoming flow (even if denied by the interface ACL) to the AAA process. A downloaded ACL can add permits to the the interface ACL. 2. ASA CTP is different: the interface ACL must allow the aaa authentication match ACL. After AAA, the downloaded ACL can add more permits to the interface ACL but must be a superset of the match ACL. Any bugs in this understanding? Regards Richard
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
