auth-proxy method lists for authentication.

From: Kal Han (calikali2006@gmail.com)
Date: Wed Nov 22 2006 - 19:38:30 ART

Hello Friends.
I have this question on method lists used by auth-proxy authentication.

When I want to http connect to the router, it uses the method lists
defined on the console port.

When I want to telnet/ssh etc connect to router, it uses the method lists
defined on the vty lines.

What about auth-proxy, Its a http authentication but what method lists will
it use.
*Does it always use the default authentication list ? *

Here is my config and its working fine.

R1#sh run | be line
line con 0
 exec-timeout 0 0
 privilege level 15
 authorization exec NONE
 logging synchronous
 login authentication NONE
line aux 0
line vty 0 3
 password cisco
 authorization exec vtyssh
 login authentication vtyssh
 transport input telnet ssh
line vty 4
 password cisco
 authorization exec vtyssh
 login authentication vtyssh
 rotary 65
 transport input telnet ssh

Here is my aaa config

aaa new-model
aaa authentication login default group tacacs+
aaa authentication login NONE none
aaa authentication login vtyssh local
aaa authorization exec default group tacacs+
aaa authorization exec NONE none
aaa authorization exec vtyssh local
aaa authorization auth-proxy default group tacacs+
aaa session-id common

Debugs show it picked up the default list point to tacacs for
authentication. Here is the output.

*Mar 1 21:36:09.358: AAA/AUTHEN/START (1836189796): found list default
*Mar 1 21:36:09.358: AAA/AUTHEN/START (1836189796): Method=tacacs+
(tacacs+)
*Mar 1 21:36:09.358: TAC+: send AUTHEN/START packet ver=192 id=1836189796
*Mar 1 21:36:09.358: TAC+: *Using default tacacs server-group "tacacs+"
list*.
*Mar 1 21:36:09.362: TAC+: Opening TCP/IP to 172.16.1.100/49 timeout=5
*Mar 1 21:36:09.366: TAC+: Opened
R1# TCP/IP handle 0x82EAD5B4 to 172.16.1.100/49 using source 11.11.11.11
*Mar 1 21:36:09.366: TAC+: 172.16.1.100 (1836189796)
AUTHEN/START/LOGIN/ASCII queued
*Mar 1 21:36:09.566: TAC+: (1836189796) AUTHEN/START/LOGIN/ASCII processed
*Mar 1 21:36:09.566: TAC+: ver=192 id=1836189796 received AUTHEN status =
GETUSER
*Mar 1 21:36:09.566: AAA/AUTHEN(1836189796): Status=GETUSER
*Mar 1 21:36:09.566: AAA/AUTHEN/CONT (1836189796): continue_login
(user='(undef)')
*Mar 1 21:36:09.566: AAA/AUTHEN(1836189796): Status=GETUSER
*Mar 1 21:36:09.566: AAA/AUTHEN(1836189796): Method=tacacs+ (tacacs+)
*Mar 1 21:36:09.570: TAC+: send AUTHEN/CONT packet id=1836189796
*Mar 1 21:36:09.570: TAC+: 172.16.1.100 (1836189796) AUTHEN/CONT queued
*Mar 1 21:36:09.770: TAC+: (1836189796) AUTHEN/CONT processed
*Mar 1 21:36:09.770: TAC+: ver=192 id=1836189796 received AUTHEN status =
GETPASS
*Mar 1 21:36:09.770: AAA/AUTHEN(1836189796): Status=GETPASS
*Mar 1 21:36:09.770: AAA/AUTHEN/CONT (1836189796): continue_login
(user='admin')
*Mar 1 21:36:09.770: AAA/AUTHEN(1836189796): Status=GETPASS
*Mar 1 21:36:09.770: AAA/AUTHEN(1836189796): Method=tacacs+ (tacacs+)
*Mar 1 21:36:09.770: TAC+: send AUTHEN/CONT packet id=1836189796
*Mar 1 21:36:09.774: TAC+: 172.16.1.100 (1836189796) AUTHEN/CONT queued
*Mar 1 21:36:09.974: TAC+: (1836189796) AUTHEN/CONT processed
*Mar 1 21:36:09.974: *TAC+: ver=192 id=1836189796 received AUTHEN status =
PASS*
*Mar 1 21:36:09.974: *AAA/AUTHEN(1836189796): Status=PASS
**Mar 1 21:36:09.974: TAC+: Closing TCP/IP 0x82EAD5B4 connection to
172.16.1.100/49
*Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770):
Port='FastEthernet0/1' list='default' service=AUTH-PROXY
*Mar 1 21:36:09.978: AAA/AUTHOR/HTTP: FastEthernet0/1(1076682770)
user='admin'
*Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770): send AV
service=auth-proxy
*Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770): send AV
cmd*
*Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770): found
list "default"
*Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770):
Method=tacacs+ (tacacs+)
*Mar 1 21:36:09.978: AAA/AUTHOR/TAC+: (1076682770): user=admin
*Mar 1 21:36:09.978: AAA/AUTHOR/TAC+: (1076682770): send AV
service=auth-proxy
*Mar 1 21:36:09.982: AAA/AUTHOR/TAC+: (1076682770): send AV cmd*
*Mar 1 21:36:09.982: *TAC+: using previously set server 172.16.1.100 from
group tacacs+
**Mar 1 21:36:09.982: TAC+: Opening TCP/IP to 172.16.1.100/49 timeout=5
*Mar 1 21:36:09.986: TAC+: Opened TCP/IP handle 0x82EAE974 to
172.16.1.100/49 using source 11.11.11.11
*Mar 1 21:36:09.986: TAC+: Opened 172.16.1.100 index=1
*Mar 1 21:36:09.986: TAC+: 172.16.1.100 (1076682770) AUTHOR/START queued
*Mar 1 21:36:10.186: TAC+: (1076682770) AUTHOR/START processed
*Mar 1 21:36:10.186: TAC+: (1076682770): received author response status =
PASS_ADD
*Mar 1 21:36:10.186: TAC+: Closing TCP/IP 0x82EAE974 connection to
172.16.1.100/49
**Mar 1 21:36:10.190: TAC+: Received Attribute "priv-lvl=15"
*Mar 1 21:36:10.190: TAC+: Received Attribute "proxyacl#1=permit ip any
any"
*Mar 1 21:36:10.190: AAA/AUTHOR (1076682770): Post authorization status =
PASS_ADD*
**
Please let me know.
Thanks
Kal

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART