Re: [OSL | CCIE_Security] ACL and auth-proxy

Thu, 09 Feb 2012 05:48:37 -0800 

I got this from following mentioned link , I dont think in this exampled they 
applied ACL on physical interface . I tested in by putting an ACL into physical 
interface and it worked . Do you think of this example as a mistake ?
HTTP Server Configuration  Example

    
      ! Enable the HTTP server on the router.
ip http server
! Set the HTTP server authentication method to AAA.
ip http authentication aaa
! Define standard access list 61 to deny any host.
access-list 61 deny any 
! Use ACL 61 to deny connections from any host to the HTTP server.
ip http access-class 61

    

  




Authentication Proxy Configuration  Example

    
      ! Set the global authentication proxy timeout value.
ip auth-proxy auth-cache-time 60
! Apply a name to the authentication proxy configuration rule.
ip auth-proxy name HQ_users http

    

  




Interface Configuration  Example

    
      ! Apply the authentication proxy rule at an interface.
interface e0 
ip address 10.1.1.210 255.255.255.0
ip auth-proxy HQ_users


Source : 
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_auth/configuration/12-4t/sec-cfg-authen-prxy.html#GUID-F3BE28D3-822F-4F0F-A46F-59C7B01F74AF




    

  
From: [email protected]
To: [email protected]; [email protected]
Subject: RE: [OSL | CCIE_Security] ACL and auth-proxy
Date: Thu, 9 Feb 2012 12:52:03 +0000







to see the authenticated user you can use :show ip auth-proxy cache 
and please not if there is no acl applied on the interface no acl will be 
installed , and that is logical , because if there is no accesslist there then 
the downloaded acl will limit the open protocols and ports on time that is not 
the work of auth-proxy 
Regards 

From: [email protected]
To: [email protected]
Date: Thu, 9 Feb 2012 16:59:39 +0500
Subject: [OSL | CCIE_Security] ACL and auth-proxy








While doing debugs I get following messages

*Mar  1 00:40:26.271: TAC+: Received Attribute "priv-lvl=15"
*Mar  1 00:40:26.271: TAC+: Received Attribute "proxyacl#1=permit tcp any any 
eq 80"
*Mar  1 00:40:26.275: TAC+: Received Attribute "proxyacl#2=permit icmp any any"
*Mar  1 00:40:26.275: AAA/AUTHOR (1909359833): Post authorization status = 
PASS_ADD


and on the client end i see authentication sucessful . But on router when i do 
show ip access-list or show access-list I dont see any ACL . I remember in ASA 
the command was show uauth to check that , is there any different command to 
check these dynamic ACLs I cant remember of at the moment . 

On IOS when i do show ip auth-proxy cache , i can see the client ip address and 
username .


                                          

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com                                                       
                          
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to