Re: ip auth-proxy with radius

From: Peter Svidler (doubleccie@yahoo.com)
Date: Fri Jun 08 2007 - 14:37:40 ART

Folks ;
  I tried your hints but something is still broken
  attached is my config and long debug output ,
  this is driving me crazy guys
   
   
   
   
  R2
   
  !
aaa authentication login default group radius
aaa authorization exec default group radius none
aaa authorization auth-proxy default group radius
!
ip auth-proxy inactivity-timer 10
ip auth-proxy name AP http
!
interface FastEthernet0/0
 ip address 10.1.1.2 255.255.255.0
 ip access-group DENY_ICMP in
 ip auth-proxy AP
!
ip http server
ip http authentication aaa
!
ip access-list extended DENY_ICMP
 deny icmp any any
 permit ip any any
!
radius-server host 10.1.1.125 auth-port 1645 acct-port 1646 key ciscovpn
!

  the config on the ACS is
  auth-proxy:priv-lvl=15
  auth-proxy:proxyacl#1=permit icmp any any
   
  !
   
   
  and here is the debug output
   
   
   
   
   
  
R2#test aaa group radius ap cisco new
Trying to authenticate with Servergroup radius
User successfully authenticated
  R2#
Jun 8 17:25:08.823: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Jun 8 17:25:08.823: RADIUS/ENCODE(00000000): dropping service type, "radius-ser
ver attribute 6 on-for-login-auth" is off
Jun 8 17:25:08.823: RADIUS(00000000): Config NAS IP: 0.0.0.0
Jun 8 17:25:08.823: RADIUS(00000000): sending
Jun 8 17:25:08.823: RADIUS/ENCODE: Best Local IP-Address 10.1.1.2 for Radius-Se
rver 10.1.1.125
Jun 8 17:25:08.823: RADIUS(00000000): Send Access-Request to 10.1.1.125:1645 id
 1645/69, len 48
Jun 8 17:25:08.823: RADIUS: authenticator 30 8B 84 B6 66 31 F6 C5 - 76 ED C6 4
7 60 17 A4 31
Jun 8 17:25:08.823: RADIUS: User-Password [2] 18 *
Jun 8 17:25:08.827: RADIUS: User-Name [1] 4 "ap"
Jun 8 17:25:08.827: RADIUS: NAS-IP-Address [4] 6 10.1.1.2
      
Jun 8 17:25:08.839: RADIUS: Received from id 1645/69 10.1.1.125:1645, Access-Ac
cept, len 129
Jun 8 17:25:08.839: RADIUS: authenticator BA 0C 56 AB B2 40 54 4B - C3 59 8B 4
D 3C
R2# E7 43 B2
Jun 8 17:25:08.839: RADIUS: Vendor, Cisco [26] 30
Jun 8 17:25:08.839: RADIUS: Cisco AVpair [1] 24 "auth-proxy:priv-lvl
=15"
Jun 8 17:25:08.839: RADIUS: Vendor, Cisco [26] 49
Jun 8 17:25:08.843: RADIUS: Cisco AVpair [1] 43 "auth-proxy:proxyacl
#1=permit icmp any any"
Jun 8 17:25:08.843: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
      
Jun 8 17:25:08.843: RADIUS: Class [25] 24
Jun 8 17:25:08.843: RADIUS: 43 41 43 53 3A 30 2F 34 31 31 39 2F 61 30 31 30
[CACS:0/4119/a010]
Jun 8 17:25:08.843: RADIUS: 31 30 32 2F 61 70
[102/ap]
Jun 8 17:25:08.843: RADIUS(00000000): Received from id 1645/69
Jun 8 17:25:08.843: RADIUS(00000000): Unique id not in use
Jun 8 17:25:08.843: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius
attributes may not be stored
R2#
R2#
Jun 8 17:25:21.981: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Jun 8 17:25:21.981: RADIUS/ENCODE(00000000): dropping service type, "radius-ser
ver attribute 6 on-for-login-auth" is off
Jun 8 17:25:21.981: RADIUS(00000000): Config NAS IP: 0.0.0.0
Jun 8 17:25:21.981: RADIUS(00000000): sending
Jun 8 17:25:21.985: RADIUS/ENCODE: Best Local IP-Address 10.1.1.2 for Radius-Se
rver 10.1.1.125
Jun 8 17:25:21.985: RADIUS(00000000): Send Access-Request to 10.1.1.125:1645 id
 1645/70, len 48
Jun 8 17:25:21.985: RADIUS: authenticator B1 23 93 6C 19 D7 5A AF - 17 85 44 8
C 9A C3 DD D7
Jun 8 17:25:21.985: RADIUS: User-Name [1] 4 "ap"
Jun 8 17:25:21.985: RADIUS: User-Password [2] 18 *
Jun 8 17:25:21.985: RADIUS: NAS-IP-Address [4] 6 10.1.1.2
      
Jun 8 17:25:21.993: RADIUS: Received from id 1645/70 10.1.1.125:1645, Access-Ac
cept, len 129
Jun 8 17:25:21.993: RADIUS: authenticator E2 9E D5 1E 84 F8 37 2E - 87 7C 56 B
5 D2
R2# A1 A7 1E
Jun 8 17:25:21.993: RADIUS: Vendor, Cisco [26] 30
Jun 8 17:25:21.993: RADIUS: Cisco AVpair [1] 24 "auth-proxy:priv-lvl
=15"
Jun 8 17:25:21.993: RADIUS: Vendor, Cisco [26] 49
Jun 8 17:25:21.993: RADIUS: Cisco AVpair [1] 43 "auth-proxy:proxyacl
#1=permit icmp any any"
Jun 8 17:25:21.997: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
      
Jun 8 17:25:21.997: RADIUS: Class [25] 24
Jun 8 17:25:21.997: RADIUS: 43 41 43 53 3A 30 2F 34 31 31 61 2F 61 30 31 30
[CACS:0/411a/a010]
Jun 8 17:25:21.997: RADIUS: 31 30 32 2F 61 70
[102/ap]
Jun 8 17:25:21.997: RADIUS(00000000): Received from id 1645/70
Jun 8 17:25:21.997: RADIUS(00000000): Unique id not in use
Jun 8 17:25:21.997: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius
attributes may not be stored
R2#
R2#
Jun 8 17:25:26.043: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Jun 8 17:25:26.043: RADIUS/ENCODE(00000000): dropping service type, "radius-ser
ver attribute 6 on-for-login-auth" is off
Jun 8 17:25:26.043: RADIUS(00000000): Config NAS IP: 0.0.0.0
Jun 8 17:25:26.043: RADIUS(00000000): sending
Jun 8 17:25:26.043: RADIUS/ENCODE: Best Local IP-Address 10.1.1.2 for Radius-Se
rver 10.1.1.125
Jun 8 17:25:26.043: RADIUS(00000000): Send Access-Request to 10.1.1.125:1645 id
 1645/71, len 48
Jun 8 17:25:26.043: RADIUS: authenticator 3F 35 CE 41 9A 66 FD 8E - A9 08 5D 9
D 7F FE 6A 9A
Jun 8 17:25:26.043: RADIUS: User-Name [1] 4 "ap"
Jun 8 17:25:26.047: RADIUS: User-Password [2] 18 *
Jun 8 17:25:26.047: RADIUS: NAS-IP-Address [4] 6 10.1.1.2
      
Jun 8 17:25:26.051: RADIUS: Received from id 1645/71 10.1.1.125:1645, Access-Ac
cept, len 129
Jun 8 17:25:26.051: RADIUS: authenticator 92 7F E5 75 DB 37 F7 80 - 7F C6 FA E
1 F0
R2# E6 C0 0D
Jun 8 17:25:26.055: RADIUS: Vendor, Cisco [26] 30
Jun 8 17:25:26.055: RADIUS: Cisco AVpair [1] 24 "auth-proxy:priv-lvl
=15"
Jun 8 17:25:26.055: RADIUS: Vendor, Cisco [26] 49
Jun 8 17:25:26.055: RADIUS: Cisco AVpair [1] 43 "auth-proxy:proxyacl
#1=permit icmp any any"
Jun 8 17:25:26.055: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
      
Jun 8 17:25:26.055: RADIUS: Class [25] 24
Jun 8 17:25:26.055: RADIUS: 43 41 43 53 3A 30 2F 34 31 31 63 2F 61 30 31 30
[CACS:0/411c/a010]
Jun 8 17:25:26.055: RADIUS: 31 30 32 2F 61 70
[102/ap]
Jun 8 17:25:26.055: RADIUS(00000000): Received from id 1645/71
Jun 8 17:25:26.059: RADIUS(00000000): Unique id not in use
Jun 8 17:25:26.059: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius
attributes may not be stored
R2#
R2#
Jun 8 17:26:20.513: AUTH-PROXY:proto_flag=4, dstport_index=4
Jun 8 17:26:20.513: FIN ACK 863177907 SEQ 1929498951 LEN 0
Jun 8 17:26:20.517: dst_addr 10.1.1.2 src_addr 10.1.1.202 dst_port 80 src_port
1330
Jun 8 17:26:20.517: AUTH-PROXY:proto_flag=4, dstport_index=4
Jun 8 17:26:20.517: SYN SEQ 4124981083 LEN 0
Jun 8 17:26:20.517: dst_addr 10.1.1.2 src_addr 10.1.1.202 dst_port 80 src_port
1331
Jun 8 17:26:20.521: AUTH-PROXY:proto_flag=4, dstport_index=4
Jun 8 17:26:20.521: ACK 675496001 SEQ 4124981084 LEN 0
Jun 8 17:26:20.521: dst_addr 10.1.1.2 src_addr 10.1.1.202 dst_port 80 src_port
1331
Jun 8 17:26:20.521: AUTH-PROXY:proto_flag=4, dstport_index=4
Jun 8 17:26:20.521: PSH ACK 675496001 SEQ 4124981084 LEN 439
Jun 8 17:26:20.521: dst_addr 10.1.1.2 src_addr 10.1.1.202 dst_port 80 src_port
1331
Jun 8 17:26:20.529: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
Jun 8 17:26:20.529: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Jun 8 17:26:
R2#20.529: RADIUS/ENCODE(00000000): dropping service type, "radius-server attrib
ute 6 on-for-login-auth" is off
Jun 8 17:26:20.529: RADIUS(00000000): Config NAS IP: 0.0.0.0
Jun 8 17:26:20.529: RADIUS(00000000): sending
Jun 8 17:26:20.529: RADIUS/ENCODE: Best Local IP-Address 10.1.1.2 for Radius-Se
rver 10.1.1.125
Jun 8 17:26:20.533: RADIUS(00000000): Send Access-Request to 10.1.1.125:1645 id
 1645/72, len 48
Jun 8 17:26:20.533: RADIUS: authenticator 14 8A C6 2A B3 3D 78 FF - 4A EB FE 9
7 F8 6B 8A ED
Jun 8 17:26:20.533: RADIUS: User-Name [1] 4 "ap"
Jun 8 17:26:20.533: RADIUS: User-Password [2] 18 *
Jun 8 17:26:20.533: RADIUS: NAS-IP-Address [4] 6 10.1.1.2
      
Jun 8 17:26:20.541: RADIUS: Received from id 1645/72 10.1.1.125:1645, Access-Ac
cept, len 129
Jun 8 17:26:20.541: RADIUS: authenticator 28 64 DB 09 43 1F B6 C0 - 17 E5 C7 F
4 4A 74 41 82
Jun 8 17:26:20.541: RADIUS: Vendor, Cisco [26] 30
Jun 8 17:26:20.541: RADIUS: Cisco AVpair [1] 24 "auth-proxy:priv-lvl
=15"
Jun 8 17:26:20.541: RADIUS: Vendor, Cisco [26] 49
Jun 8 17:26:20.541: RADIUS: Cisco AVpair [1] 43 "auth-proxy:proxyacl
#1=permit icmp any any"
Jun 8 17:26:20.541: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
      
Jun 8 17:26:20.541: RADIUS: Class [25] 24
Jun 8 17:26:20.545: RADIUS: 43 41 43 53 3A 30 2F 34 31 31 64 2F 61 30 31 30
[CACS:0/411d/a010]
Jun 8 17:26:20.545: RADIUS: 31 30 32 2F 61 70
[102/ap]
Jun 8 17:26:20.545: RADIUS(00000000): Received from id 1645/72
Jun 8 17:26:20.545: RADIUS(00000000): Unique id not in use
Jun 8 17:26:20.545: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius
attributes may not be stored
Jun 8 17:26:20.549: AUTH-PROXY:proto_flag=4, dstport_index=4
Jun 8 17:26:20.549: ACK 675496194 SEQ 4124981523 LEN 0
Jun 8 17:26:20.549: dst_addr 10.1.1.2 src_addr 10.1.1.202 dst_port 80 src_port
1331
R2#
   
   
   
   
   
   
   
   
  

Farrukh Haroon <farrukhharoon@gmail.com> wrote:
  do one thing...

first are you using

auth-proxy:proxyacl#1=permit icmp any any (notice the hash #1)

OR

auth-proxy:proxyacl=permit icmp any any

secondly try to change this line from:

aaa authorization exec default group radius

to:

aaa authorization exec default group radius none

Also check out:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080093f52.shtml

IF it still doesnt work give me a copy of your debug output
and show version

Regards

Farrukh

On 6/8/07, Peter Svidler <doubleccie@yahoo.com> wrote:
> I am sorry ..that was just typing mistake
>
> actually the AV pair is configured
>
> auth-proxy:priv-lvl=15
> auth-proxy:proxyacl=permit icmp any any
>
>
> problem remains ...
>
> Vivek Santuka <vivsan@gmail.com > wrote:
> Peter,
>
> I think the VSA which your are sending is not correct. The VSA Required is :
>
> auth-proxy:priv-lvl=15
> auth-proxy:proxyacl#1=permit icmp any any
>
> The one which you mentioned is :
>
> proxy-auth:priv-lvl=15
> proxy-auth:proxyacl#1=permit icmp any any
>
> Without proxy-auth priv-lvl 15 auth proxy will not work.
>
> Regards,
> Vivek Santuka
> CCIE #17621 (Security)
>
> On 6/8/07, Peter Svidler wrote:
> >
> > guys ;
> > I am having really hard time to get auth proxy with radius done .
> >
> > ACS------pc------R1---lo--
> >
> > here is what im trying to do ,very simple senario , i want the PC to be
> > able to ping loopback interface on R1 after getting authenticated by the ACS
> > ,
> > i enabled the http server on R1 , using Radius for authentication and
> > enabled ip proxy-auth on the interface as configuration below
> >
> > first of all , I am not able to login unless i put (priv-lvl=15 without
> > the auth-proxy:) ...when put only priv-lvl=15 im able to login ..but the ACL
> > is not downloaded
> >
> > R1
> > aaa authentication login default group radius
> > aaa authorization exec default group radius
> > aaa authorization auth-proxy default group radius
> > !
> > ip auth-proxy name AP http
> > !
> > interface Ethernet0/0
> > ip address 10.1.1.1 255.255.255.0
> > ip access-group DENY_ICMP in
> > ip auth-proxy AP
> > !
> > ip access-list extended DENY_ICMP
> > deny icmp any any
> > permit ip any any
> > !
> > !
> > radius-server host 10.1.1.125 auth-port 1645 acct-port 1646 key ciscovpn
> > !
> > ip http server
> > ip http authentication aaa
> > !
> >
> > on the ACS , I configured the R1 for Radius (cisco IOS) and enabled
> > cisco-av-pair as
> >
> > proxy-auth:priv-lvl=15
> > proxy-auth:proxyacl#1=permit icmp any any
> >
> > aslo tried
> > priv-lvl=15
> > proxy-auth:priv-lvl=15
> > proxy-auth:proxyacl#1=permit icmp any any
> >
> > aslo tried
> >
> >
> > priv-lvl=15
> > proxy-auth:proxyacl#1=permit icmp any any
> >
> >
> >
> > here is some debug output
> >
> > Mar 1 02:24:20.140: RADIUS: Received from id 1645/11 10.1.1.125:1645,
> > Access-
> > Accept, len 119
> > *Mar 1 02:24:20.140: RADIUS: authenticator 25 07 8E 52 82 BD F3 EB - 41
> > 3E 8C
> > 14 C8 62 EF 14
> > *Mar 1 02:24:20.144: RADIUS: Vendor, Cisco [26] 19
> > *Mar 1 02:24:20.144: RADIUS: Cisco AVpair [1] 13 "priv-lvl=15"
> > *Mar 1 02:24: 20.144: RADIUS: Vendor, Cisco [26] 49
> > *Mar 1 02:24:20.144: RADIUS: Cisco AVpair [1]
> > 43 "auth-proxy:proxyac
> > l#1=permit icmp any any"
> > *Mar 1 02:24:20.144: RADIUS: Framed-IP-Address [8] 6
> > 255.255.255.255
> > *Mar 1 02:24:20.144: RADIUS: Class [25] 25
> > *Mar 1 02:24:20.148: RADIUS: 43 41 43 53 3A 30 2F 31 62 39 34 2F 63 64
> > 30 35
> > [CACS:0/1b94/cd05]
> > *Mar 1 02:24:20.148: RADIUS: 30 31 30 31 2F 61 70
> > [0101/ap]
> > *Mar 1 02:24:20.148: RADIUS(00000000): Received from id 1645/11
> > *Mar 1 02:24: 20.152: RADIUS(00000000): Unique id not in use
> > *Mar 1 02:24:20.152: RADIUS/DECODE(00000000): There is no RADIUS DB Some
> > Radius
> > attributes may not be stored
> >
> >
> >
> >
> > what i am missing here , any help will be appreciated
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ---------------------------------
> > You snooze, you lose. Get messages ASAP with AutoCheck
> > in the all-new Yahoo! Mail Beta.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
> ---------------------------------
> Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>

 
---------------------------------
TV dinner still cooling?
Check out "Tonight's Picks" on Yahoo! TV.

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:47 ART