auth-proxy authorization erro from Radioactive Frog on 2011-03-08 (Ccielab archives 03/2011)

From: Radioactive Frog <pbhatkoti_at_gmail.com>
Date: Tue, 8 Mar 2011 22:18:38 +1100

Folks,

i have got
internet-----R2-fast0/0--------PC

standard auth-proxy stuffs. But can't get authrization working. anyone seen
this issue?

It authenticates ok with freeRadiuis though :) a free linux based ACS
server.

aaa new-model
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization auth-proxy default group tacacs+
aaa session-id common
ip http authentication aaa
int fas0/1
authproxy blah..

test aaa works perfect:

R2#
R2#test aaa gr tac
R2#test aaa gr tacacs+ frog frog l
Attempting authentication test to server-group tacacs+ using tacacs+
*User was successfully authenticated.
*
R2#

----------------this is what i get error when authproxy client try to
authorize-----

*Mar 8 11:40:19.904: AAA/AUTHOR/HTTP: FastEthernet0/1(2596895044)
user='frog'
*Mar 8 11:40:19.904: FastEthernet0/1 AAA/AUTHOR/HTTP(2596895044): send AV
service=auth-proxy
*Mar 8 11:40:19.904: FastEthernet0/1 AAA/AUTHOR/HTTP(2596895044): send AV
cmd*
*Mar 8 11:40:19.904: FastEthernet0/1 AAA/AUTHOR/HTTP(2596895044): found
list "default"
*Mar 8 11:40:19.904: FastEthernet0/1 AAA/AUTHOR/HTTP(2596895044):
Method=tacacs+ (tacacs+)
*Mar 8 11:40:19.904: AAA/AUTHOR/TAC+: (2596895044): user=frog
*Mar 8 11:40:19.904: AAA/AUTHOR/TAC+: (2596895044): send AV
service=auth-proxy
*Mar 8 11:40:19.904: AAA/AUTHOR/TAC+: (2596895044): send AV cmd*
*Mar 8 11:40:20.108: AAA/AUTHOR (2596895044): Post authorization status =
FAIL
*Mar 8 11:40:20.108: AAA/MEMORY: free_user (0x46D52DD0) user='frog'
ruser='NULL' port='FastEthernet0/1' rem_addr='3.3.25.55' authen_type=ASCII
service=LOGIN priv=0 vrf= (id=0)

according to cisco troubleshooting doco - this is exactly what is happening.
Am I missing a tick somewhere in my ACS?
cisco doco says "profile is not setup for authorization" but it's exactly
done as:
1. added new services in user or group 'auth-proxy'
2. priv-lvl=15, proxyacl#1=permit ip any any
.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800941b8.shtml

TACACS User Enters Correct Username and Password but Fails Authorization

*Debug shows:*

02:17:01: TAC+: ver=192 id=945629484 received AUTHEN status = PASS
02:17:02: TAC+: (1368282367): received author response status = FAIL
02:17:02: TAC+: Closing TCP/IP 0x61CAFFC8 connection to 171.68.118.115/49

02:17:02: AAA/AUTHOR (1368282367): Post authorization status = FAIL

Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 08 2011 - 22:18:38 ART

This archive was generated by hypermail 2.2.0 : Fri Apr 01 2011 - 06:35:41 ART