Ha Ali, you're talking about a different method of configuring auth-proxy - it's called "IOS auth-proxy with Downloadable ACLs (RADIUS)", where you don't have to have ACL configured on the interface, as it is downloaded from ACS. And at the beginning of this topic we were talking about "IOS auth-proxy with Downloadable ACEs (TACACS+)", were you should have ACL already configured, because in this method single ACE (ACL entries) are downloaded.
On IOS, the easiest way of configuring your method is to configure RADIUS with "Downloadable ACLs" user/group attribute. First, you configure the ACL in Shared Profile Components > Downloadable IP ACLs, and then you mark that ACL in "Assign IP ACL" in user/group configuration. In that case, the whole ACL is downloaded to the router and typing "show access-l" on the router, you should see the name of that ACL. You can also see that ACL typing "show epm session ip 10.1.100.100" (supposing your client IP is 10.1.100.100). Unfortunatelly, I haven't found any example on the Internet (with IOS auth-proxy version) - I can only see ASA cut-through examples, like this: http://www.wr-mem.com/?p=109. The example with IOS is in the book "Cisco Firewalls" by Cisco Press. And at the beginning of this topic we were talking about configuring auth-proxy in TACACS+, filling New Service "auth-proxy" Custom attributes, where you should already have ACL on the router's interface. Even if the ACL on the router has only "deny ip any any" statement, after successful user authentication, ACE (Access Control Entries) are downloaded and added on the top of the ACL. During this process, "any" word in ACE is replaced with the IP of the client. So, for example, when you have interface configuration below: interface Vlan100 ip address 10.1.100.15 255.255.255.0 ip access-group AUTH-PROXY-ACL in ip auth-proxy AUTH-PROXY end you should see something like this: Router#sh access-list Extended IP access list AUTH-PROXY-ACL permit icmp host 10.1.100.100 any permit tcp host 10.1.100.100 any eq 80 (17 matches) 10 deny ip any any (1010 matches) (those first two entries were downloaded during authorization process). This method is described for example here: http://www.wr-mem.com/?p=111 Marta Sokolowska. 2012/2/9 HA Ali <[email protected]> > > While doing debugs I get following messages > > *Mar 1 00:40:26.271: TAC+: Received Attribute "priv-lvl=15" > *Mar 1 00:40:26.271: TAC+: Received Attribute "proxyacl#1=permit tcp any > any eq 80" > *Mar 1 00:40:26.275: TAC+: Received Attribute "proxyacl#2=permit icmp any > any" > *Mar 1 00:40:26.275: AAA/AUTHOR (1909359833): Post authorization status = > PASS_ADD > > > and on the client end i see authentication sucessful . But on router when > i do show ip access-list or show access-list I dont see any ACL . I > remember in ASA the command was show uauth to check that , is there any > different command to check these dynamic ACLs I cant remember of at the > moment . > > On IOS when i do show ip auth-proxy cache , i can see the client ip > address and username . > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
