From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Thu Nov 23 2006 - 05:09:17 ART
If we are talking about the "auth-proxy" service, then we need to configure
only
"aaa authorization auth-proxy" command and AAA server will return the
attribute
"priv-lvl=15" (which must be configured for "auth-proxy" service)
As for HTTP management with AAA authentication, you need to authorize
remote user's shell for privilege level 15, either locally or remotely. So
you need
to configure "aaa authorization exec def local" or "aaa authorization exec
def group xxx"
and provide privilege level 15 either locally or remotely (via
tacacs+/radius).
Note the bug with console port AAA lists, which may override the default
behavior!
Also, i found that this bug is present NOT in every 12.2T release.. so life
is
getting just a bit more complicated :)
HTH
2006/11/23, Lab Rat #109385382 <techlist01@gmail.com>:
>
> Does the "ip http authentication local" command do automatic exec
> authorization on the local user?
>
> In my tests, privilege level needs to be at 15...correct?
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Petr
> Lapukhov
> Sent: Wednesday, November 22, 2006 10:42 PM
> To: Kal Han
> Cc: Groupstudy; Cisco certification
> Subject: Re: auth-proxy method lists for authentication.
>
> It's the notorious bug found in 12.2T/12.3:
>
> *Bug ID: CSCeb82510*
> Fixed Since: 12.3(7.3)T
>
> <quote>
> Since the 12.2(15)T IOS release onwards, when "ip http authentication aaa"
> is configured, HTTP server uses the login authentication and exec
> authorization method lists specified for the console instead of for the
> vty
> lines as in the earlier IOS versions.
>
> If you configure:
> ip http server
> ip http authentication aaa
> aaa authentication login default ...
> aaa authorization exec default ...
> aaa authentication login vty-auth ...
> aaa authorization exec vty-auth ...
>
> line con 0
> login authentication default
> authorization exec default
> line vty ...
> login authentication vty-auth
> authorization exec vty-auth
>
> And then attempt to the HTTP access, the router will ignore the
> "http-auth"
> method lists and instead use the default method lists specified for the
> console.
> If there are no default method lists defined, router will fail the HTTP
> authentication. *This new behaviour is due to the fact that since 12.2
> (15)T
> onwards vty lines are no more used for HTTP connections.*
>
> Workaround:
> Use a common method list for HTTP and console and make sure that the
> console
> is configured with this common method list. For example,
>
> aaa authentication login console-http-auth ...
> aaa authorization exec console-http-auth ...
>
> line con 0
> login authentication console-http-auth
> authorization exec console-http-auth
>
> If only "default" method list names are used, this problem does not exist.
> For example,
> aaa authentication login default ...
> aaa authorization exec default ...
> line con 0
> <No method lists explicitly applied. So, default is used> line vty ...
> <No method lists explicitly applied. So, default is used>
>
> </quote>
>
> In modern images, you may configure separate AAA list for HTTP
> authentication/authorization
> (commands)
>
> ip http authentication aaa login-authentication ?
> WORD Use an authentication list with this name.
>
>
> 2006/11/23, Kal Han <calikali2006@gmail.com>:
> >
> > Hello Friends.
> > I have this question on method lists used by auth-proxy authentication.
> >
> > When I want to http connect to the router, it uses the method lists
> > defined on the console port.
> >
> > When I want to telnet/ssh etc connect to router, it uses the method
> > lists defined on the vty lines.
> >
> > What about auth-proxy, Its a http authentication but what method lists
> > will it use.
> > *Does it always use the default authentication list ? *
> >
> > Here is my config and its working fine.
> >
> > R1#sh run | be line
> > line con 0
> > exec-timeout 0 0
> > privilege level 15
> > authorization exec NONE
> > logging synchronous
> > login authentication NONE
> > line aux 0
> > line vty 0 3
> > password cisco
> > authorization exec vtyssh
> > login authentication vtyssh
> > transport input telnet ssh
> > line vty 4
> > password cisco
> > authorization exec vtyssh
> > login authentication vtyssh
> > rotary 65
> > transport input telnet ssh
> >
> > Here is my aaa config
> >
> > aaa new-model
> > aaa authentication login default group tacacs+ aaa authentication
> > login NONE none aaa authentication login vtyssh local aaa
> > authorization exec default group tacacs+ aaa authorization exec NONE
> > none aaa authorization exec vtyssh local aaa authorization auth-proxy
> > default group tacacs+ aaa session-id common
> >
> >
> > Debugs show it picked up the default list point to tacacs for
> > authentication. Here is the output.
> >
> > *Mar 1 21:36:09.358: AAA/AUTHEN/START (1836189796): found list default
> > *Mar 1 21:36:09.358: AAA/AUTHEN/START (1836189796): Method=tacacs+
> > (tacacs+)
> > *Mar 1 21:36:09.358: TAC+: send AUTHEN/START packet ver=192
> id=1836189796
> > *Mar 1 21:36:09.358: TAC+: *Using default tacacs server-group "tacacs+"
> > list*.
> > *Mar 1 21:36:09.362: TAC+: Opening TCP/IP to 172.16.1.100/49 timeout=5
> > *Mar 1 21:36:09.366: TAC+: Opened
> > R1# TCP/IP handle 0x82EAD5B4 to 172.16.1.100/49 using source 11.11.11.11
> > *Mar 1 21:36:09.366: TAC+: 172.16.1.100 (1836189796)
> > AUTHEN/START/LOGIN/ASCII queued
> > *Mar 1 21:36:09.566: TAC+: (1836189796) AUTHEN/START/LOGIN/ASCII
> > processed
> > *Mar 1 21:36:09.566: TAC+: ver=192 id=1836189796 received AUTHEN status
> =
> > GETUSER
> > *Mar 1 21:36:09.566: AAA/AUTHEN(1836189796): Status=GETUSER
> > *Mar 1 21:36:09.566: AAA/AUTHEN/CONT (1836189796): continue_login
> > (user='(undef)')
> > *Mar 1 21:36:09.566: AAA/AUTHEN(1836189796): Status=GETUSER
> > *Mar 1 21:36:09.566: AAA/AUTHEN(1836189796): Method=tacacs+ (tacacs+)
> > *Mar 1 21:36:09.570: TAC+: send AUTHEN/CONT packet id=1836189796
> > *Mar 1 21:36:09.570: TAC+: 172.16.1.100 (1836189796) AUTHEN/CONT queued
> > *Mar 1 21:36:09.770: TAC+: (1836189796) AUTHEN/CONT processed
> > *Mar 1 21:36:09.770: TAC+: ver=192 id=1836189796 received AUTHEN status
> =
> > GETPASS
> > *Mar 1 21:36:09.770: AAA/AUTHEN(1836189796): Status=GETPASS
> > *Mar 1 21:36:09.770: AAA/AUTHEN/CONT (1836189796): continue_login
> > (user='admin')
> > *Mar 1 21:36:09.770: AAA/AUTHEN(1836189796): Status=GETPASS
> > *Mar 1 21:36:09.770: AAA/AUTHEN(1836189796): Method=tacacs+ (tacacs+)
> > *Mar 1 21:36:09.770: TAC+: send AUTHEN/CONT packet id=1836189796
> > *Mar 1 21:36:09.774: TAC+: 172.16.1.100 (1836189796) AUTHEN/CONT queued
> > *Mar 1 21:36:09.974: TAC+: (1836189796) AUTHEN/CONT processed
> > *Mar 1 21:36:09.974: *TAC+: ver=192 id=1836189796 received AUTHEN
> status
> > =
> > PASS*
> > *Mar 1 21:36:09.974: *AAA/AUTHEN(1836189796): Status=PASS
> > **Mar 1 21:36:09.974: TAC+: Closing TCP/IP 0x82EAD5B4 connection to
> > 172.16.1.100/49
> > *Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770):
> > Port='FastEthernet0/1' list='default' service=AUTH-PROXY
> > *Mar 1 21:36:09.978: AAA/AUTHOR/HTTP: FastEthernet0/1(1076682770)
> > user='admin'
> > *Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770): send
> AV
> > service=auth-proxy
> > *Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770): send
> AV
> > cmd*
> > *Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770): found
> > list "default"
> > *Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770):
> > Method=tacacs+ (tacacs+)
> > *Mar 1 21:36:09.978: AAA/AUTHOR/TAC+: (1076682770): user=admin
> > *Mar 1 21:36:09.978: AAA/AUTHOR/TAC+: (1076682770): send AV
> > service=auth-proxy
> > *Mar 1 21:36:09.982: AAA/AUTHOR/TAC+: (1076682770): send AV cmd*
> > *Mar 1 21:36:09.982: *TAC+: using previously set server 172.16.1.100from
> > group tacacs+
> > **Mar 1 21:36:09.982: TAC+: Opening TCP/IP to 172.16.1.100/49 timeout=5
> > *Mar 1 21:36:09.986: TAC+: Opened TCP/IP handle 0x82EAE974 to
> > 172.16.1.100/49 using source 11.11.11.11
> > *Mar 1 21:36:09.986: TAC+: Opened 172.16.1.100 index=1
> > *Mar 1 21:36:09.986: TAC+: 172.16.1.100 (1076682770) AUTHOR/START
> queued
> > *Mar 1 21:36:10.186: TAC+: (1076682770) AUTHOR/START processed
> > *Mar 1 21:36:10.186: TAC+: (1076682770): received author response
> status
> > =
> > PASS_ADD
> > *Mar 1 21:36:10.186: TAC+: Closing TCP/IP 0x82EAE974 connection to
> > 172.16.1.100/49
> > **Mar 1 21:36:10.190: TAC+: Received Attribute "priv-lvl=15"
> > *Mar 1 21:36:10.190: TAC+: Received Attribute "proxyacl#1=permit ip any
> > any"
> > *Mar 1 21:36:10.190: AAA/AUTHOR (1076682770): Post authorization status
> =
> > PASS_ADD*
> > **
> > Please let me know.
> > Thanks
> > Kal
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART