If I am not mistaken I tried it out today on a Ipexpert rack. I tried to put a method list on the HTTP server and it didnt work, only with local user, when I enabled the loging default tacacs, it authenticated againts AAA, so by that test/error scenario, I would say it overrides it. I was a bit scare that this was very quiet during the weekend, I thought everyone just gave up ;) Mike. From: [email protected] To: [email protected] Date: Sun, 29 Jul 2012 20:17:47 +0000 Subject: [OSL | CCIE_Security] HTTP authentication with auth-proxy I have an interesting observation while testing auth-proxy on a router. The authenticating router has HTTP server enabled but there’s nothing set for authentication yet. I see that the HTTP server default authentication method is set to “enable”: R4#sh ip http server all HTTP server status: Enabled HTTP server port: 80 HTTP server authentication method: enable When I initiate HTTP session to the host behind the router R4 I’m challenged with the authentication window, login as “httpuser” that is stored in TACACS and it is successful. R4#sh ip auth-proxy cache Authentication Proxy Cache Client Name httpuser, Client IP 200.13.24.200, Port 1456, timeout 60, Time Remaining 54, state ESTAB Doing HTTP debugs on the router show me that the router chooses aaa as auth-type. *Jul 29 19:55:47.613: uname httpuser *Jul 29 19:55:47.613: timetag 91998348 *Jul 29 19:55:47.613: HTTP: Authentication proxy_username = 'httpuser' priv-level = 0 auth-type = aaa The question is if we set “aaa authentication login default group tacacs” and “aaa authorization auth-proxy default group tacacs” it overrides the local http authentication method? Eugene _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
