ip auth-proxy with radius

From: Peter Svidler (doubleccie@yahoo.com)
Date: Fri Jun 08 2007 - 08:40:11 ART

guys ;
  I am having really hard time to get auth proxy with radius done .
   
  ACS------pc------R1---lo--
   
  here is what im trying to do ,very simple senario , i want the PC to be able to ping loopback interface on R1 after getting authenticated by the ACS ,
  i enabled the http server on R1 , using Radius for authentication and enabled ip proxy-auth on the interface as configuration below
   
  first of all , I am not able to login unless i put (priv-lvl=15 without the auth-proxy:) ...when put only priv-lvl=15 im able to login ..but the ACL is not downloaded
   
  R1
  aaa authentication login default group radius
aaa authorization exec default group radius
  aaa authorization auth-proxy default group radius
  !
ip auth-proxy name AP http
  !
interface Ethernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip access-group DENY_ICMP in
 ip auth-proxy AP
  !
  ip access-list extended DENY_ICMP
 deny icmp any any
 permit ip any any
!
!
  radius-server host 10.1.1.125 auth-port 1645 acct-port 1646 key ciscovpn
  !
  ip http server
ip http authentication aaa
  !
   
  on the ACS , I configured the R1 for Radius (cisco IOS) and enabled cisco-av-pair as
   
  proxy-auth:priv-lvl=15
  proxy-auth:proxyacl#1=permit icmp any any
   
  aslo tried
  priv-lvl=15
  proxy-auth:priv-lvl=15
  proxy-auth:proxyacl#1=permit icmp any any
   
  aslo tried
   
   
  priv-lvl=15
  proxy-auth:proxyacl#1=permit icmp any any
   
   
   
  here is some debug output
   
  Mar 1 02:24:20.140: RADIUS: Received from id 1645/11 10.1.1.125:1645, Access-
Accept, len 119
*Mar 1 02:24:20.140: RADIUS: authenticator 25 07 8E 52 82 BD F3 EB - 41 3E 8C
14 C8 62 EF 14
*Mar 1 02:24:20.144: RADIUS: Vendor, Cisco [26] 19
*Mar 1 02:24:20.144: RADIUS: Cisco AVpair [1] 13 "priv-lvl=15"
*Mar 1 02:24:20.144: RADIUS: Vendor, Cisco [26] 49
*Mar 1 02:24:20.144: RADIUS: Cisco AVpair [1] 43 "auth-proxy:proxyac
l#1=permit icmp any any"
*Mar 1 02:24:20.144: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
  *Mar 1 02:24:20.144: RADIUS: Class [25] 25
*Mar 1 02:24:20.148: RADIUS: 43 41 43 53 3A 30 2F 31 62 39 34 2F 63 64 30 35
 [CACS:0/1b94/cd05]
*Mar 1 02:24:20.148: RADIUS: 30 31 30 31 2F 61 70
 [0101/ap]
*Mar 1 02:24:20.148: RADIUS(00000000): Received from id 1645/11
*Mar 1 02:24:20.152: RADIUS(00000000): Unique id not in use
*Mar 1 02:24:20.152: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius
 attributes may not be stored

   
   
   
  what i am missing here , any help will be appreciated
   
   
   
   
   
   
   

       
---------------------------------
You snooze, you lose. Get messages ASAP with AutoCheck
 in the all-new Yahoo! Mail Beta.

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:47 ART