The "deny all" denies http management traffic to router performing auth-proxy and it should not affect the auth-proxy functionality.
I think, auth-proxy doesn't work with custom ports consistently with all images. It has never worked for me :-( With regards Kings On Mon, Jul 4, 2011 at 12:22 PM, Piotr Matusiak <[email protected]> wrote: > you're denying all access to your http server with an access-list. > > > > 2011/7/4 Mark Senteza <[email protected]> > >> It still doesnt work for me. >> >> Here's my configuration >> >> >> ip http port 8888 >> ip port-map http port tcp 8888 >> ip http authentication aaa >> ip http access-class 10 >> >> access-list 10 deny any >> >> ip tacacs source-interface Loopback0 >> tacacs-server host 10.100.22.100 >> tacacs-server key CISCO >> >> aaa new-model >> aaa authentication login CONSOLE none >> >> aaa authentication login default group tacacs+ >> aaa authorization auth-proxy default group tacacs+ >> >> ip auth-proxy name AUTH http >> >> interface fa 0/0.40 >> ip auth-proxy AUTH >> >> line con 0 >> login authentication CONSOLE >> >> >> On Sun, Jul 3, 2011 at 12:30 AM, Piotr Matusiak <[email protected]> wrote: >> >>> It works for non standard port but only one at time. You must have local >>> HTTP server on that port and an appropriate PAM entry for that port. for >>> example: >>> >>> ip http port 8888 >>> ip port-map http port tcp 8888 >>> >>> Regards, >>> Piotr >>> >>> >>> >>> 2011/7/3 Kingsley Charles <[email protected]> >>> >>>> It has not worked for me after adding a PAM entry. >>>> >>>> >>>> Snippet from >>>> http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_authen_prxy_ps6441_TSD_Products_Configuration_Guide_Chapter.html >>>> Restrictions for Configuring Authentication Proxy >>>> >>>> •The authentication proxy triggers only on HTTP connections. >>>> >>>> •HTTP services must be running on the standard (well-known) port, which >>>> is port 80 for HTTP. >>>> >>>> •Client browsers must enable JavaScript for secure authentication. >>>> >>>> •The authentication proxy access lists apply to traffic passing through >>>> the router. Traffic destined to the router is authenticated by the existing >>>> authentication methods provided by Cisco IOS software. >>>> >>>> •The authentication proxy does not support concurrent usage; that is, if >>>> two users try to log in from the same host at the same time, authentication >>>> and authorization applies only to the user who first submits a valid >>>> username and password. >>>> >>>> •Load balancing using multiple or different AAA servers is not >>>> supported. >>>> >>>> >>>> >>>> With regards >>>> Kings >>>> >>>> On Sun, Jul 3, 2011 at 6:34 AM, Mark Senteza >>>> <[email protected]>wrote: >>>> >>>>> Hi, >>>>> >>>>> I've been trying to get the IOS auth-proxy feature to work when sending >>>>> http traffic to port 8080 but can seem to get it working. Is it possible >>>>> for >>>>> authentication proxy to match traffic on non-standard ports ? >>>>> >>>>> I've tried using the PAM feature on the auth-proxy router to add port >>>>> 8080 as a HTTP port but that hasnt made a difference. >>>>> >>>>> Thanks >>>>> >>>>> Mark >>>>> >>>>> _______________________________________________ >>>>> For more information regarding industry leading CCIE Lab training, >>>>> please visit www.ipexpert.com >>>>> >>>>> Are you a CCNP or CCIE and looking for a job? Check out >>>>> www.PlatinumPlacement.com >>>>> >>>> >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
