According to the Cisco TAC link I posted previously, you want to reply
with (minimum):
Cisco-AVPair = "auth-proxy:priv-lvl=15"
Cisco-AVPair = "auth-proxy:proxyacl#1=first ACE"
Cisco-AVPair = "auth-proxy:proxyacl#2=second ACE"
Cisco-AVPair = "auth-proxy:proxyacl#3=and so on and so forth"
I would recommend that you debug RADIUS packets on your router - or
better yet, run FreeRADIUS in debug mode - to see what attributes the
router is sending. You can derive a list of attributes to check in the
access-request packet from the debug output. For example (completely
untested):
username Auth-Type := Local,\
Password == "password",\
Service-Type == Outbound-User
Cisco-AVPair = "auth-proxy:priv-lvl=15",
Cisco-AVPair = "auth-proxy:proxyacl#1=permit tcp any any",
Cisco-AVPair = "auth-proxy:proxyacl#2=permit udp any any",
Cisco-AVPair = "auth-proxy:proxyacl#3=permit icmp any any",
Service-Type = Outbound-User
Check
http://www.cisco.com/warp/public/793/ios_fw/trouble_auth.shtml#radius -
which has an IOS debug showing the RADIUS attributes sent and received.
For additional IOS config help, check:
http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Software:Cisc
o_IOS_Firewall&viewall=true
DP
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of
> leonidasterra
> Sent: Wednesday, July 09, 2003 7:34 PM
> To: freeradius-users
> Subject: RE: Cisco IOS/Firewall HTTP Authentication through Freeradius
>
>
> Thank you all for the answers. As the number of access to the
> web servers will be low, there will no problem with router
> performance.
>
> I got some hint files in Freeradius site for its
> configuration , but do you know where there would be further
> information for such RADIUS/Freeradius configuration?
>
> Thanks in advance, Leonidas.
>
> > Can't say whether it's a good idea or not to run this feature on the
> > Cisco router in Le�nidas' particular environment, but there *is* a
> > feature of the Cisco IOS that supports HTTP Authentication, called
> > "Authentication Proxy":
> >
> >
> http://www.cisco.com/en/US/products/sw/secursw/ps1018/products
> _tech_note09186a0080094eb0.shtml
> >
> > ... which uses server-based authentication (TACACS+ or RADIUS) to
> > authenticate users via an HTTP session and assign
> user-based ACLs. I
> > can't see why it wouldn't work with FreeRADIUS.
> >
> > I would recommend checking the Software Advisor to see which
> > platforms/feature-sets support the proxy.
> >
> > DP
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of
> > Gene Parks
> > Sent: Wednesday, July 09, 2003 6:45 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Cisco IOS/Firewall HTTP Authentication through
> Freeradius
> >
> >
> > The firewall function that comes in the IOS for Cisco does
> > not have the granularity that you are looking for. Plus you
> > are asking a router to do the work of both the router and the
> > firewall at the same time. Cisco is good but the router will
> > choke if you have a lot of connections. I would think of a
> > redesign of the network and put the authentication function
> > on the web server. I would also use the firewall software to
> > limit the access to ports on those servers and not do the
> > authentication function. The router will thank you later.
> >
> > Just my two cents.
> >
> > Gene Parks
> > VIP Direct
> >
> > -----Original Message-----
> > From: leonidasterra [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, July 09, 2003 12:57 AM
> > To: freeradius-users
> > Subject: Cisco IOS/Firewall HTTP Authentication through Freeradius
> >
> >
> > Hi everyone! I�m new to RADIUS hands on and also to this group.
> >
> > I�m planning a LAN with 16 web servers inside. The users in
> > the Web will reach a Cisco router with IOS/Firewall, placed
> > in the edge of this LAN. So, this IOS/Firewall will prompt
> > (in the user�s browser) a http screen as access request
> > (login/password).
> >
> > User then sends information to IOS/Firewall that
> > authenticates and authorizes it in Freeradius. Now, a
> > specific user is authenticated and only access its assigned
> > servers, as configured in Freeradius.
> >
> > Has someone faced a similar environment with Freeradius and
> > Cisco Firewall?
> >
> > Were there any errors or incompatibilities?
> >
> > For last, is it necessary a database software (MySQL, DB2,
> > Oracle, Databliz, ...)to work with Freeradius?
> >
> > Thanks in advance, Le�nidas!
> >
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
