Re: ip auth-proxy with radius

From: Mark Snow (mark@ipexpert.com)
Date: Mon Jun 11 2007 - 21:29:48 ART

Did you try configuring the ACL to block access to the local router
resources via the HTTP server?

http://www.cisco.com/univercd/cc/td/doc/product/software/
ios122/122cgcr/fsecur_c/ftrafwl/scfauthp.htm#wp1001606

Mark Snow - CCIE #14073 (Voice, Security)
Senior Technical Instructor - IPexpert, Inc.
A Cisco Learning Partner - We Accept Learning Credits!
Telephone: +1.810.326.1444
Fax: +1.309.413.4097
Mailto: msnow@ipexpert.com

IPexpert - The Global Leader in Self-Study, Classroom-Based, Video
Class-On-Demand and Audio Certification Training Tools for the Cisco
CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE
Voice Lab and CCIE Storage Lab Certifications.

On Jun 9, 2007, at 10:29 AM, Peter Svidler wrote:

> Folks ;
> any luck with the below post ..anyone reached any conclusion ?
>
>
>
>
> Peter Svidler <doubleccie@yahoo.com> wrote:
> Folks ;
> I tried your hints but something is still broken
> attached is my config and long debug output ,
> this is driving me crazy guys
>
>
>
>
> R2
>
> !
> aaa authentication login default group radius
> aaa authorization exec default group radius none
> aaa authorization auth-proxy default group radius
> !
> ip auth-proxy inactivity-timer 10
> ip auth-proxy name AP http
> !
> interface FastEthernet0/0
> ip address 10.1.1.2 255.255.255.0
> ip access-group DENY_ICMP in
> ip auth-proxy AP
> !
> ip http server
> ip http authentication aaa
> !
> ip access-list extended DENY_ICMP
> deny icmp any any
> permit ip any any
> !
> radius-server host 10.1.1.125 auth-port 1645 acct-port 1646 key
> ciscovpn
> !
>
> the config on the ACS is
> auth-proxy:priv-lvl=15
> auth-proxy:proxyacl#1=permit icmp any any
>
> !
>
>
> and here is the debug output
>
>
>
>
>
>
> R2#test aaa group radius ap cisco new
> Trying to authenticate with Servergroup radius
> User successfully authenticated
> R2#
> Jun 8 17:25:08.823: RADIUS/ENCODE(00000000):Orig. component type =
> INVALID
> Jun 8 17:25:08.823: RADIUS/ENCODE(00000000): dropping service type,
> "radius-ser
> ver attribute 6 on-for-login-auth" is off
> Jun 8 17:25:08.823: RADIUS(00000000): Config NAS IP: 0.0.0.0
> Jun 8 17:25:08.823: RADIUS(00000000): sending
> Jun 8 17:25:08.823: RADIUS/ENCODE: Best Local IP-Address 10.1.1.2
> for Radius-Se
> rver 10.1.1.125
> Jun 8 17:25:08.823: RADIUS(00000000): Send Access-Request to
> 10.1.1.125:1645 id
> 1645/69, len 48
> Jun 8 17:25:08.823: RADIUS: authenticator 30 8B 84 B6 66 31 F6 C5 -
> 76 ED C6 4
> 7 60 17 A4 31
> Jun 8 17:25:08.823: RADIUS: User-Password [2] 18 *
> Jun 8 17:25:08.827: RADIUS: User-Name [1] 4 "ap"
> Jun 8 17:25:08.827: RADIUS: NAS-IP-Address [4] 6 10.1.1.2
>
> Jun 8 17:25:08.839: RADIUS: Received from id 1645/69
> 10.1.1.125:1645, Access-Ac
> cept, len 129
> Jun 8 17:25:08.839: RADIUS: authenticator BA 0C 56 AB B2 40 54 4B -
> C3 59 8B 4
> D 3C
> R2# E7 43 B2
> Jun 8 17:25:08.839: RADIUS: Vendor, Cisco [26] 30
> Jun 8 17:25:08.839: RADIUS: Cisco AVpair [1] 24 "auth-proxy:priv-lvl
> =15"
> Jun 8 17:25:08.839: RADIUS: Vendor, Cisco [26] 49
> Jun 8 17:25:08.843: RADIUS: Cisco AVpair [1] 43 "auth-proxy:proxyacl
> #1=permit icmp any any"
> Jun 8 17:25:08.843: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
>
> Jun 8 17:25:08.843: RADIUS: Class [25] 24
> Jun 8 17:25:08.843: RADIUS: 43 41 43 53 3A 30 2F 34 31 31 39 2F 61
> 30 31 30
> [CACS:0/4119/a010]
> Jun 8 17:25:08.843: RADIUS: 31 30 32 2F 61 70
> [102/ap]
> Jun 8 17:25:08.843: RADIUS(00000000): Received from id 1645/69
> Jun 8 17:25:08.843: RADIUS(00000000): Unique id not in use
> Jun 8 17:25:08.843: RADIUS/DECODE(00000000): There is no RADIUS DB
> Some Radius
> attributes may not be stored
> R2#
> R2#
> Jun 8 17:25:21.981: RADIUS/ENCODE(00000000):Orig. component type =
> INVALID
> Jun 8 17:25:21.981: RADIUS/ENCODE(00000000): dropping service type,
> "radius-ser
> ver attribute 6 on-for-login-auth" is off
> Jun 8 17:25:21.981: RADIUS(00000000): Config NAS IP: 0.0.0.0
> Jun 8 17:25:21.981: RADIUS(00000000): sending
> Jun 8 17:25:21.985: RADIUS/ENCODE: Best Local IP-Address 10.1.1.2
> for Radius-Se
> rver 10.1.1.125
> Jun 8 17:25:21.985: RADIUS(00000000): Send Access-Request to
> 10.1.1.125:1645 id
> 1645/70, len 48
> Jun 8 17:25:21.985: RADIUS: authenticator B1 23 93 6C 19 D7 5A AF -
> 17 85 44 8
> C 9A C3 DD D7
> Jun 8 17:25:21.985: RADIUS: User-Name [1] 4 "ap"
> Jun 8 17:25:21.985: RADIUS: User-Password [2] 18 *
> Jun 8 17:25:21.985: RADIUS: NAS-IP-Address [4] 6 10.1.1.2
>
> Jun 8 17:25:21.993: RADIUS: Received from id 1645/70
> 10.1.1.125:1645, Access-Ac
> cept, len 129
> Jun 8 17:25:21.993: RADIUS: authenticator E2 9E D5 1E 84 F8 37 2E -
> 87 7C 56 B
> 5 D2
> R2# A1 A7 1E
> Jun 8 17:25:21.993: RADIUS: Vendor, Cisco [26] 30
> Jun 8 17:25:21.993: RADIUS: Cisco AVpair [1] 24 "auth-proxy:priv-lvl
> =15"
> Jun 8 17:25:21.993: RADIUS: Vendor, Cisco [26] 49
> Jun 8 17:25:21.993: RADIUS: Cisco AVpair [1] 43 "auth-proxy:proxyacl
> #1=permit icmp any any"
> Jun 8 17:25:21.997: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
>
> Jun 8 17:25:21.997: RADIUS: Class [25] 24
> Jun 8 17:25:21.997: RADIUS: 43 41 43 53 3A 30 2F 34 31 31 61 2F 61
> 30 31 30
> [CACS:0/411a/a010]
> Jun 8 17:25:21.997: RADIUS: 31 30 32 2F 61 70
> [102/ap]
> Jun 8 17:25:21.997: RADIUS(00000000): Received from id 1645/70
> Jun 8 17:25:21.997: RADIUS(00000000): Unique id not in use
> Jun 8 17:25:21.997: RADIUS/DECODE(00000000): There is no RADIUS DB
> Some Radius
> attributes may not be stored
> R2#
> R2#
> Jun 8 17:25:26.043: RADIUS/ENCODE(00000000):Orig. component type =
> INVALID
> Jun 8 17:25:26.043: RADIUS/ENCODE(00000000): dropping service type,
> "radius-ser
> ver attribute 6 on-for-login-auth" is off
> Jun 8 17:25:26.043: RADIUS(00000000): Config NAS IP: 0.0.0.0
> Jun 8 17:25:26.043: RADIUS(00000000): sending
> Jun 8 17:25:26.043: RADIUS/ENCODE: Best Local IP-Address 10.1.1.2
> for Radius-Se
> rver 10.1.1.125
> Jun 8 17:25:26.043: RADIUS(00000000): Send Access-Request to
> 10.1.1.125:1645 id
> 1645/71, len 48
> Jun 8 17:25:26.043: RADIUS: authenticator 3F 35 CE 41 9A 66 FD 8E -
> A9 08 5D 9
> D 7F FE 6A 9A
> Jun 8 17:25:26.043: RADIUS: User-Name [1] 4 "ap"
> Jun 8 17:25:26.047: RADIUS: User-Password [2] 18 *
> Jun 8 17:25:26.047: RADIUS: NAS-IP-Address [4] 6 10.1.1.2
>
> Jun 8 17:25:26.051: RADIUS: Received from id 1645/71
> 10.1.1.125:1645, Access-Ac
> cept, len 129
> Jun 8 17:25:26.051: RADIUS: authenticator 92 7F E5 75 DB 37 F7 80 -
> 7F C6 FA E
> 1 F0
> R2# E6 C0 0D
> Jun 8 17:25:26.055: RADIUS: Vendor, Cisco [26] 30
> Jun 8 17:25:26.055: RADIUS: Cisco AVpair [1] 24 "auth-proxy:priv-lvl
> =15"
> Jun 8 17:25:26.055: RADIUS: Vendor, Cisco [26] 49
> Jun 8 17:25:26.055: RADIUS: Cisco AVpair [1] 43 "auth-proxy:proxyacl
> #1=permit icmp any any"
> Jun 8 17:25:26.055: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
>
> Jun 8 17:25:26.055: RADIUS: Class [25] 24
> Jun 8 17:25:26.055: RADIUS: 43 41 43 53 3A 30 2F 34 31 31 63 2F 61
> 30 31 30
> [CACS:0/411c/a010]
> Jun 8 17:25:26.055: RADIUS: 31 30 32 2F 61 70
> [102/ap]
> Jun 8 17:25:26.055: RADIUS(00000000): Received from id 1645/71
> Jun 8 17:25:26.059: RADIUS(00000000): Unique id not in use
> Jun 8 17:25:26.059: RADIUS/DECODE(00000000): There is no RADIUS DB
> Some Radius
> attributes may not be stored
> R2#
> R2#
> Jun 8 17:26:20.513: AUTH-PROXY:proto_flag=4, dstport_index=4
> Jun 8 17:26:20.513: FIN ACK 863177907 SEQ 1929498951 LEN 0
> Jun 8 17:26:20.517: dst_addr 10.1.1.2 src_addr 10.1.1.202 dst_port
> 80 src_port
> 1330
> Jun 8 17:26:20.517: AUTH-PROXY:proto_flag=4, dstport_index=4
> Jun 8 17:26:20.517: SYN SEQ 4124981083 LEN 0
> Jun 8 17:26:20.517: dst_addr 10.1.1.2 src_addr 10.1.1.202 dst_port
> 80 src_port
> 1331
> Jun 8 17:26:20.521: AUTH-PROXY:proto_flag=4, dstport_index=4
> Jun 8 17:26:20.521: ACK 675496001 SEQ 4124981084 LEN 0
> Jun 8 17:26:20.521: dst_addr 10.1.1.2 src_addr 10.1.1.202 dst_port
> 80 src_port
> 1331
> Jun 8 17:26:20.521: AUTH-PROXY:proto_flag=4, dstport_index=4
> Jun 8 17:26:20.521: PSH ACK 675496001 SEQ 4124981084 LEN 439
> Jun 8 17:26:20.521: dst_addr 10.1.1.2 src_addr 10.1.1.202 dst_port
> 80 src_port
> 1331
> Jun 8 17:26:20.529: AAA/AUTHEN/LOGIN (00000000): Pick method list
> 'default'
> Jun 8 17:26:20.529: RADIUS/ENCODE(00000000):Orig. component type =
> INVALID
> Jun 8 17:26:
> R2#20.529: RADIUS/ENCODE(00000000): dropping service type, "radius-
> server attrib
> ute 6 on-for-login-auth" is off
> Jun 8 17:26:20.529: RADIUS(00000000): Config NAS IP: 0.0.0.0
> Jun 8 17:26:20.529: RADIUS(00000000): sending
> Jun 8 17:26:20.529: RADIUS/ENCODE: Best Local IP-Address 10.1.1.2
> for Radius-Se
> rver 10.1.1.125
> Jun 8 17:26:20.533: RADIUS(00000000): Send Access-Request to
> 10.1.1.125:1645 id
> 1645/72, len 48
> Jun 8 17:26:20.533: RADIUS: authenticator 14 8A C6 2A B3 3D 78 FF -
> 4A EB FE 9
> 7 F8 6B 8A ED
> Jun 8 17:26:20.533: RADIUS: User-Name [1] 4 "ap"
> Jun 8 17:26:20.533: RADIUS: User-Password [2] 18 *
> Jun 8 17:26:20.533: RADIUS: NAS-IP-Address [4] 6 10.1.1.2
>
> Jun 8 17:26:20.541: RADIUS: Received from id 1645/72
> 10.1.1.125:1645, Access-Ac
> cept, len 129
> Jun 8 17:26:20.541: RADIUS: authenticator 28 64 DB 09 43 1F B6 C0 -
> 17 E5 C7 F
> 4 4A 74 41 82
> Jun 8 17:26:20.541: RADIUS: Vendor, Cisco [26] 30
> Jun 8 17:26:20.541: RADIUS: Cisco AVpair [1] 24 "auth-proxy:priv-lvl
> =15"
> Jun 8 17:26:20.541: RADIUS: Vendor, Cisco [26] 49
> Jun 8 17:26:20.541: RADIUS: Cisco AVpair [1] 43 "auth-proxy:proxyacl
> #1=permit icmp any any"
> Jun 8 17:26:20.541: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
>
> Jun 8 17:26:20.541: RADIUS: Class [25] 24
> Jun 8 17:26:20.545: RADIUS: 43 41 43 53 3A 30 2F 34 31 31 64 2F 61
> 30 31 30
> [CACS:0/411d/a010]
> Jun 8 17:26:20.545: RADIUS: 31 30 32 2F 61 70
> [102/ap]
> Jun 8 17:26:20.545: RADIUS(00000000): Received from id 1645/72
> Jun 8 17:26:20.545: RADIUS(00000000): Unique id not in use
> Jun 8 17:26:20.545: RADIUS/DECODE(00000000): There is no RADIUS DB
> Some Radius
> attributes may not be stored
> Jun 8 17:26:20.549: AUTH-PROXY:proto_flag=4, dstport_index=4
> Jun 8 17:26:20.549: ACK 675496194 SEQ 4124981523 LEN 0
> Jun 8 17:26:20.549: dst_addr 10.1.1.2 src_addr 10.1.1.202 dst_port
> 80 src_port
> 1331
> R2#
>
>
>
>
>
>
>
>
>
>
> Farrukh Haroon wrote:
> do one thing...
>
> first are you using
>
> auth-proxy:proxyacl#1=permit icmp any any (notice the hash #1)
>
>
> OR
>
> auth-proxy:proxyacl=permit icmp any any
>
> secondly try to change this line from:
>
> aaa authorization exec default group radius
>
> to:
>
> aaa authorization exec default group radius none
>
>
> Also check out:
>
> http://www.cisco.com/en/US/products/sw/secursw/ps1018/
> products_tech_note09186a0080093f52.shtml
>
> IF it still doesnt work give me a copy of your debug output
> and show version
>
> Regards
>
> Farrukh
>
>
>
> On 6/8/07, Peter Svidler wrote:
>> I am sorry ..that was just typing mistake
>>
>> actually the AV pair is configured
>>
>> auth-proxy:priv-lvl=15
>> auth-proxy:proxyacl=permit icmp any any
>>
>>
>> problem remains ...
>>
>> Vivek Santuka wrote:
>> Peter,
>>
>> I think the VSA which your are sending is not correct. The VSA
>> Required is :
>>
>> auth-proxy:priv-lvl=15
>> auth-proxy:proxyacl#1=permit icmp any any
>>
>> The one which you mentioned is :
>>
>> proxy-auth:priv-lvl=15
>> proxy-auth:proxyacl#1=permit icmp any any
>>
>> Without proxy-auth priv-lvl 15 auth proxy will not work.
>>
>> Regards,
>> Vivek Santuka
>> CCIE #17621 (Security)
>>
>> On 6/8/07, Peter Svidler wrote:
>>>
>>> guys ;
>>> I am having really hard time to get auth proxy with radius done .
>>>
>>> ACS------pc------R1---lo--
>>>
>>> here is what im trying to do ,very simple senario , i want the PC
>>> to be
>>> able to ping loopback interface on R1 after getting authenticated
>>> by the ACS
>>> ,
>>> i enabled the http server on R1 , using Radius for authentication
>>> and
>>> enabled ip proxy-auth on the interface as configuration below
>>>
>>> first of all , I am not able to login unless i put (priv-lvl=15
>>> without
>>> the auth-proxy:) ...when put only priv-lvl=15 im able to
>>> login ..but the ACL
>>> is not downloaded
>>>
>>> R1
>>> aaa authentication login default group radius
>>> aaa authorization exec default group radius
>>> aaa authorization auth-proxy default group radius
>>> !
>>> ip auth-proxy name AP http
>>> !
>>> interface Ethernet0/0
>>> ip address 10.1.1.1 255.255.255.0
>>> ip access-group DENY_ICMP in
>>> ip auth-proxy AP
>>> !
>>> ip access-list extended DENY_ICMP
>>> deny icmp any any
>>> permit ip any any
>>> !
>>> !
>>> radius-server host 10.1.1.125 auth-port 1645 acct-port 1646 key
>>> ciscovpn
>>> !
>>> ip http server
>>> ip http authentication aaa
>>> !
>>>
>>> on the ACS , I configured the R1 for Radius (cisco IOS) and enabled
>>> cisco-av-pair as
>>>
>>> proxy-auth:priv-lvl=15
>>> proxy-auth:proxyacl#1=permit icmp any any
>>>
>>> aslo tried
>>> priv-lvl=15
>>> proxy-auth:priv-lvl=15
>>> proxy-auth:proxyacl#1=permit icmp any any
>>>
>>> aslo tried
>>>
>>>
>>> priv-lvl=15
>>> proxy-auth:proxyacl#1=permit icmp any any
>>>
>>>
>>>
>>> here is some debug output
>>>
>>> Mar 1 02:24:20.140: RADIUS: Received from id 1645/11
>>> 10.1.1.125:1645,
>>> Access-
>>> Accept, len 119
>>> *Mar 1 02:24:20.140: RADIUS: authenticator 25 07 8E 52 82 BD F3
>>> EB - 41
>>> 3E 8C
>>> 14 C8 62 EF 14
>>> *Mar 1 02:24:20.144: RADIUS: Vendor, Cisco [26] 19
>>> *Mar 1 02:24:20.144: RADIUS: Cisco AVpair [1] 13 "priv-lvl=15"
>>> *Mar 1 02:24: 20.144: RADIUS: Vendor, Cisco [26] 49
>>> *Mar 1 02:24:20.144: RADIUS: Cisco AVpair [1]
>>> 43 "auth-proxy:proxyac
>>> l#1=permit icmp any any"
>>> *Mar 1 02:24:20.144: RADIUS: Framed-IP-Address [8] 6
>>> 255.255.255.255
>>> *Mar 1 02:24:20.144: RADIUS: Class [25] 25
>>> *Mar 1 02:24:20.148: RADIUS: 43 41 43 53 3A 30 2F 31 62 39 34 2F
>>> 63 64
>>> 30 35
>>> [CACS:0/1b94/cd05]
>>> *Mar 1 02:24:20.148: RADIUS: 30 31 30 31 2F 61 70
>>> [0101/ap]
>>> *Mar 1 02:24:20.148: RADIUS(00000000): Received from id 1645/11
>>> *Mar 1 02:24: 20.152: RADIUS(00000000): Unique id not in use
>>> *Mar 1 02:24:20.152: RADIUS/DECODE(00000000): There is no RADIUS
>>> DB Some
>>> Radius
>>> attributes may not be stored
>>>
>>>
>>>
>>>
>>> what i am missing here , any help will be appreciated
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------
>>> You snooze, you lose. Get messages ASAP with AutoCheck
>>> in the all-new Yahoo! Mail Beta.
>>
>> _____________________________________________________________________
>> __
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>> ---------------------------------
>> Looking for a deal? Find great prices on flights and hotels with
>> Yahoo! FareChase.
>>
>> _____________________________________________________________________
>> __
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
>
> ---------------------------------
> TV dinner still cooling?
> Check out "Tonight's Picks" on Yahoo! TV.
>
>
>
>
> ---------------------------------
> You snooze, you lose. Get messages ASAP with AutoCheck
> in the all-new Yahoo! Mail Beta.
>
> ______________________________________________________________________
> _
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:48 ART