[OSL | CCIE_Security] 2.14 Auth-Proxy

GuardGrid Sat, 14 Jul 2012 09:36:52 -0700

All,
When setting up this lab I can get all the way upto R7 sending the author
request but with a blank username and hence fails.



!
aaa new-model
aaa authentication login default none
aaa authentication login VTY group tacacs+
aaa authorization exec VTY group tacacs+
aaa authorization auth-proxy default group tacacs+
!
ip http server
ip http secure-server
!
ip auth-proxy auth-proxy-banner http ^C
ip auth-proxy inactivity-timer 15
ip auth-proxy absolute-timer 90
ip auth-proxy name AUTHPROXY http inactivity-time 15 list AUTHPROXY
ip admission auth-proxy-banner http ^C

!I don't think we need to allow entries 1 and 2 as i get the same result
without them.
Extended IP access list V78_IN
    1 permit tcp any host 9.7.7.7 eq www
    2 permit tcp any host 9.7.7.7 eq 443
    10 permit icmp any any echo
    20 permit icmp any any unreachable
    30 permit icmp any any time-exceeded
    40 permit icmp any any echo-reply
    50 deny ip 9.2.1.0 0.0.0.255 9.7.7.0 0.0.0.255 log (3 matches)
    60 permit ip any any (2372 matches)

Extended IP access list AUTHPROXY
    10 permit tcp 9.2.1.0 0.0.0.255 9.7.7.0 0.0.0.255 eq www (39 matches)
    20 permit tcp 9.2.1.0 0.0.0.255 9.7.7.0 0.0.0.255 eq 443 (30 matches)

!
!
interface FastEthernet0/1.78
 encapsulation dot1Q 78
 ip address 9.9.156.7 255.255.255.0
 ip access-group V78_IN in
 ip nat enable
 ip auth-proxy AUTHPROXY



Get this in the debugs

Jul 14 12:32:36.131: AAA: parse name=FastEthernet0/1.78 idb type=-1 tty=-1
*Jul 14 12:32:36.135: AAA/MEMORY: create_user (0x662262DC) user='NULL'
ruser='NULL' ds0=0 port='FastEthernet0/1.78' rem_addr='9.2.1.100'
authen_type=ASCII service=LOGIN priv=0 initial_task_id='0', vrf= (id=0)*
Jul 14 12:32:36.139: AAA/AUTHEN/START (282743291):
port='FastEthernet0/1.78' list='default' action=LOGIN service=LOGIN
Jul 14 12:32:36.143: AAA/AUTHEN/START (282743291): found list default
Jul 14 12:32:36.143: AAA/AUTHEN/START (282743291): Method=NONE
*Jul 14 12:32:36.147: AAA/AUTHEN(282743291): Status=PASS*
*Jul 14 12:32:36.151: FastEthernet0/1.78 AAA/AUTHOR/HTTP(4276998975):
Port='FastEthernet0/1.78' list='default' ser*
*R7#vice=AUTH-PROXY*
Jul 14 12:32:36.151: AAA/AUTHOR/HTTP: FastEthernet0/1.78(4276998975) user=''
Jul 14 12:32:36.155: FastEthernet0/1.78 AAA/AUTHOR/HTTP(4276998975): send
AV service=auth-proxy
Jul 14 12:32:36.155: FastEthernet0/1.78 AAA/AUTHOR/HTTP(4276998975): send
AV cmd*
Jul 14 12:32:36.159: FastEthernet0/1.78 AAA/AUTHOR/HTTP(4276998975): found
list "default"
Jul 14 12:32:36.163: FastEthernet0/1.78 AAA/AUTHOR/HTTP(4276998975):
Method=tacacs+ (tacacs+)
*Jul 14 12:32:36.163: %AAA/AUTHOR/TAC+: (4276998975): no username in request
*
Jul 14 12:32:36.167: AAA/AUTHOR/TAC+: (4276998975): send AV
service=auth-proxy
Jul 14 12:32:36.167: AAA/AUTHOR/TAC+: (4276998975): send AV cmd*
Jul 14 12:32:36.247: AUTH-PROXY:proto_flag=4, dstport_index=0
Jul 14 12:32:36.251: AUTH-PROXY:Protocol not configured on if_input
Jul 14 12:32:36.463: AUTH-PROXY:proto_flag=4, dstport_index=0
Jul 14 12:32:36.463: AUTH-PROXY:Protocol not configured on if_input
Jul 14 12:32:36.479: TAC+: (-17968321): received au
*R7#thor response status = FAIL*
*Jul 14 12:32:36.487: AAA/AUTHOR (4276998975): Post authorization status =
FAIL*

ACS LOGS

   Filtering is not applied.
Date<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=1&orderType=1&seq=152&regEx=&startDate=&endDate=&rowsNumber=50>
Time<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=2&orderType=1&seq=153&regEx=&startDate=&endDate=&rowsNumber=50>
Message-Type<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=3&orderType=1&seq=154&regEx=&startDate=&endDate=&rowsNumber=50>
User-Name<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=4&orderType=1&seq=155&regEx=&startDate=&endDate=&rowsNumber=50>
Group-Name<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=5&orderType=1&seq=156&regEx=&startDate=&endDate=&rowsNumber=50>
Caller-ID<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=6&orderType=1&seq=157&regEx=&startDate=&endDate=&rowsNumber=50>
Network
Access Profile 
Name<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=7&orderType=1&seq=158&regEx=&startDate=&endDate=&rowsNumber=50>
Authen-Failure-Code<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=8&orderType=1&seq=159&regEx=&startDate=&endDate=&rowsNumber=50>
Author-Failure-Code<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=9&orderType=1&seq=160&regEx=&startDate=&endDate=&rowsNumber=50>
Author-Data<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=10&orderType=1&seq=161&regEx=&startDate=&endDate=&rowsNumber=50>
NAS-Port<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=11&orderType=1&seq=162&regEx=&startDate=&endDate=&rowsNumber=50>
NAS-IP-Address<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=12&orderType=1&seq=163&regEx=&startDate=&endDate=&rowsNumber=50>
Filter
Information<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=13&orderType=1&seq=164&regEx=&startDate=&endDate=&rowsNumber=50>
PEAP/EAP-FAST-Clear-Name<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=14&orderType=1&seq=165&regEx=&startDate=&endDate=&rowsNumber=50>
EAP
Type<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=15&orderType=1&seq=166&regEx=&startDate=&endDate=&rowsNumber=50>
EAP
Type 
Name<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=16&orderType=1&seq=167&regEx=&startDate=&endDate=&rowsNumber=50>
Reason<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=17&orderType=1&seq=168&regEx=&startDate=&endDate=&rowsNumber=50>
Access
Device<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=18&orderType=1&seq=169&regEx=&startDate=&endDate=&rowsNumber=50>
Network
Device 
Group<http://127.0.0.1:1065/setup.exe?action=make_page&page=csv_report_page&pageNumber=1&title=&sortColumn=19&orderType=1&seq=170&regEx=&startDate=&endDate=&rowsNumber=50>
07/14/2012 12:32:37 Author failed .. Default Group 9.2.1.100 (Default) .. User
unknown .. FastEthernet0/1.78 9.9.156.7 .. .. .. .. .. R7.ipexpert.com ..










What am i missing here?

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

[OSL | CCIE_Security] 2.14 Auth-Proxy

Reply via email to