AUTH_PROXY only works with Cisco Secure ACS dude! :-) (just joking!)
Anyway, the full running configuration would be more helpful in this
situation... helps in understanding the scenario better.
Thanks,
Sadiq
On Tue, Mar 8, 2011 at 11:18 AM, Radioactive Frog <pbhatkoti_at_gmail.com>wrote:
> Folks,
>
> i have got
> internet-----R2-fast0/0--------PC
>
> standard auth-proxy stuffs. But can't get authrization working. anyone
> seen
> this issue?
>
> It authenticates ok with freeRadiuis though :) a free linux based ACS
> server.
>
> aaa new-model
> aaa authentication login default group tacacs+
> aaa authorization exec default group tacacs+ if-authenticated
> aaa authorization auth-proxy default group tacacs+
> aaa session-id common
> ip http authentication aaa
> int fas0/1
> authproxy blah..
>
> test aaa works perfect:
>
> R2#
> R2#test aaa gr tac
> R2#test aaa gr tacacs+ frog frog l
> Attempting authentication test to server-group tacacs+ using tacacs+
> *User was successfully authenticated.
> *
> R2#
>
> ----------------this is what i get error when authproxy client try to
> authorize-----
>
> *Mar 8 11:40:19.904: AAA/AUTHOR/HTTP: FastEthernet0/1(2596895044)
> user='frog'
> *Mar 8 11:40:19.904: FastEthernet0/1 AAA/AUTHOR/HTTP(2596895044): send AV
> service=auth-proxy
> *Mar 8 11:40:19.904: FastEthernet0/1 AAA/AUTHOR/HTTP(2596895044): send AV
> cmd*
> *Mar 8 11:40:19.904: FastEthernet0/1 AAA/AUTHOR/HTTP(2596895044): found
> list "default"
> *Mar 8 11:40:19.904: FastEthernet0/1 AAA/AUTHOR/HTTP(2596895044):
> Method=tacacs+ (tacacs+)
> *Mar 8 11:40:19.904: AAA/AUTHOR/TAC+: (2596895044): user=frog
> *Mar 8 11:40:19.904: AAA/AUTHOR/TAC+: (2596895044): send AV
> service=auth-proxy
> *Mar 8 11:40:19.904: AAA/AUTHOR/TAC+: (2596895044): send AV cmd*
> *Mar 8 11:40:20.108: AAA/AUTHOR (2596895044): Post authorization status =
> FAIL
> *Mar 8 11:40:20.108: AAA/MEMORY: free_user (0x46D52DD0) user='frog'
> ruser='NULL' port='FastEthernet0/1' rem_addr='3.3.25.55' authen_type=ASCII
> service=LOGIN priv=0 vrf= (id=0)
>
> according to cisco troubleshooting doco - this is exactly what is
> happening.
> Am I missing a tick somewhere in my ACS?
> cisco doco says "profile is not setup for authorization" but it's exactly
> done as:
> 1. added new services in user or group 'auth-proxy'
> 2. priv-lvl=15, proxyacl#1=permit ip any any
> .
>
>
>
> http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800941b8.shtml
>
> TACACS User Enters Correct Username and Password but Fails Authorization
>
> *Debug shows:*
>
> 02:17:01: TAC+: ver=192 id=945629484 received AUTHEN status = PASS
> 02:17:02: TAC+: (1368282367): received author response status = FAIL
> 02:17:02: TAC+: Closing TCP/IP 0x61CAFFC8 connection to 171.68.118.115/49
>
> 02:17:02: AAA/AUTHOR (1368282367): Post authorization status = FAIL
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- CCIEx2 (R&S|Sec) #19963 Blogs and organic groups at http://www.ccie.netReceived on Tue Mar 08 2011 - 11:32:14 ART
This archive was generated by hypermail 2.2.0 : Fri Apr 01 2011 - 06:35:41 ART