Guys,

Any idea why this is not working?

aaa authentication login default group tacacs+
aaa authentication login CONSOLE none
aaa authorization exec default group tacacs+
aaa authorization auth-proxy default group tacacs+

ip auth-proxy auth-proxy-banner telnet ^C TELNET AUTH ^C
ip auth-proxy name AP telnet inactivity-time 60 list auth_proxy

interface FastEthernet0/0
ip address 192.168.1.89 255.255.255.0
ip access-group inbound in
ip auth-proxy AP

ip access-list extended auth_proxy
permit tcp any host 150.7.7.2 eq telnet
ip access-list extended inbound
deny   tcp any host 150.7.7.2 eq telnet
permit ip any any

tacacs-server host 192.168.1.2
tacacs-server directed-request
tacacs-server key CISCO

On ACS:

Router is added as a client with the correct pre-shared key and IP.
User created on ACS "authuser" with the password of cisco.
auth-proxy attributes under "authuser" profile:

priv-lvl=15
proxyacl#1=permit tcp any host 150.7.7.2 eq 23

Test from router:

RouterD#test aaa group tacacs authuser cisco leg
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

Test from PC:

TELNET AUTH
Username:authuser
Password:
Firewall authentication Failed.Please Retry
Username:

ACS LOG:

Message-type:  AUTHOR FAILED
Author Failure-code: SERVICE DENIED
Author-Data: service=auth-proxy  protocol= IP

Thanks
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to