RE: auth-proxy method lists for authentication.

From: Lab Rat #109385382 (techlist01@gmail.com)
Date: Thu Nov 23 2006 - 02:04:01 ART

<< When I want to http connect to the router, it uses the method lists
defined on the console port.>>

I didn't know about this one...Where can I read it in the Doc CD?

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Kal
Han
Sent: Wednesday, November 22, 2006 2:39 PM
To: Groupstudy; Cisco certification
Subject: auth-proxy method lists for authentication.

Hello Friends.
I have this question on method lists used by auth-proxy authentication.

When I want to http connect to the router, it uses the method lists defined
on the console port.

When I want to telnet/ssh etc connect to router, it uses the method lists
defined on the vty lines.

What about auth-proxy, Its a http authentication but what method lists will
it use.
*Does it always use the default authentication list ? *

Here is my config and its working fine.

R1#sh run | be line
line con 0
 exec-timeout 0 0
 privilege level 15
 authorization exec NONE
 logging synchronous
 login authentication NONE
line aux 0
line vty 0 3
 password cisco
 authorization exec vtyssh
 login authentication vtyssh
 transport input telnet ssh
line vty 4
 password cisco
 authorization exec vtyssh
 login authentication vtyssh
 rotary 65
 transport input telnet ssh

Here is my aaa config

aaa new-model
aaa authentication login default group tacacs+ aaa authentication login NONE
none aaa authentication login vtyssh local aaa authorization exec default
group tacacs+ aaa authorization exec NONE none aaa authorization exec vtyssh
local aaa authorization auth-proxy default group tacacs+ aaa session-id
common

Debugs show it picked up the default list point to tacacs for
authentication. Here is the output.

*Mar 1 21:36:09.358: AAA/AUTHEN/START (1836189796): found list default *Mar
1 21:36:09.358: AAA/AUTHEN/START (1836189796): Method=tacacs+
(tacacs+)
*Mar 1 21:36:09.358: TAC+: send AUTHEN/START packet ver=192 id=1836189796
*Mar 1 21:36:09.358: TAC+: *Using default tacacs server-group "tacacs+"
list*.
*Mar 1 21:36:09.362: TAC+: Opening TCP/IP to 172.16.1.100/49 timeout=5 *Mar
1 21:36:09.366: TAC+: Opened R1# TCP/IP handle 0x82EAD5B4 to 172.16.1.100/49
using source 11.11.11.11 *Mar 1 21:36:09.366: TAC+: 172.16.1.100
(1836189796) AUTHEN/START/LOGIN/ASCII queued *Mar 1 21:36:09.566: TAC+:
(1836189796) AUTHEN/START/LOGIN/ASCII processed *Mar 1 21:36:09.566: TAC+:
ver=192 id=1836189796 received AUTHEN status = GETUSER *Mar 1 21:36:09.566:
AAA/AUTHEN(1836189796): Status=GETUSER *Mar 1 21:36:09.566: AAA/AUTHEN/CONT
(1836189796): continue_login
(user='(undef)')
*Mar 1 21:36:09.566: AAA/AUTHEN(1836189796): Status=GETUSER *Mar 1
21:36:09.566: AAA/AUTHEN(1836189796): Method=tacacs+ (tacacs+) *Mar 1
21:36:09.570: TAC+: send AUTHEN/CONT packet id=1836189796 *Mar 1
21:36:09.570: TAC+: 172.16.1.100 (1836189796) AUTHEN/CONT queued *Mar 1
21:36:09.770: TAC+: (1836189796) AUTHEN/CONT processed *Mar 1 21:36:09.770:
TAC+: ver=192 id=1836189796 received AUTHEN status = GETPASS *Mar 1
21:36:09.770: AAA/AUTHEN(1836189796): Status=GETPASS *Mar 1 21:36:09.770:
AAA/AUTHEN/CONT (1836189796): continue_login
(user='admin')
*Mar 1 21:36:09.770: AAA/AUTHEN(1836189796): Status=GETPASS *Mar 1
21:36:09.770: AAA/AUTHEN(1836189796): Method=tacacs+ (tacacs+) *Mar 1
21:36:09.770: TAC+: send AUTHEN/CONT packet id=1836189796 *Mar 1
21:36:09.774: TAC+: 172.16.1.100 (1836189796) AUTHEN/CONT queued *Mar 1
21:36:09.974: TAC+: (1836189796) AUTHEN/CONT processed *Mar 1 21:36:09.974:
*TAC+: ver=192 id=1836189796 received AUTHEN status =
PASS*
*Mar 1 21:36:09.974: *AAA/AUTHEN(1836189796): Status=PASS **Mar 1
21:36:09.974: TAC+: Closing TCP/IP 0x82EAD5B4 connection to
172.16.1.100/49
*Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770):
Port='FastEthernet0/1' list='default' service=AUTH-PROXY *Mar 1
21:36:09.978: AAA/AUTHOR/HTTP: FastEthernet0/1(1076682770) user='admin'
*Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770): send AV
service=auth-proxy *Mar 1 21:36:09.978: FastEthernet0/1
AAA/AUTHOR/HTTP(1076682770): send AV
cmd*
*Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770): found
list "default"
*Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770):
Method=tacacs+ (tacacs+)
*Mar 1 21:36:09.978: AAA/AUTHOR/TAC+: (1076682770): user=admin *Mar 1
21:36:09.978: AAA/AUTHOR/TAC+: (1076682770): send AV service=auth-proxy *Mar
1 21:36:09.982: AAA/AUTHOR/TAC+: (1076682770): send AV cmd* *Mar 1
21:36:09.982: *TAC+: using previously set server 172.16.1.100 from group
tacacs+ **Mar 1 21:36:09.982: TAC+: Opening TCP/IP to 172.16.1.100/49
timeout=5 *Mar 1 21:36:09.986: TAC+: Opened TCP/IP handle 0x82EAE974 to
172.16.1.100/49 using source 11.11.11.11 *Mar 1 21:36:09.986: TAC+: Opened
172.16.1.100 index=1 *Mar 1 21:36:09.986: TAC+: 172.16.1.100 (1076682770)
AUTHOR/START queued *Mar 1 21:36:10.186: TAC+: (1076682770) AUTHOR/START
processed *Mar 1 21:36:10.186: TAC+: (1076682770): received author response
status = PASS_ADD *Mar 1 21:36:10.186: TAC+: Closing TCP/IP 0x82EAE974
connection to
172.16.1.100/49
**Mar 1 21:36:10.190: TAC+: Received Attribute "priv-lvl=15"
*Mar 1 21:36:10.190: TAC+: Received Attribute "proxyacl#1=permit ip any
any"
*Mar 1 21:36:10.190: AAA/AUTHOR (1076682770): Post authorization status =
PASS_ADD*
**
Please let me know.
Thanks
Kal

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART