Re: auth-proxy authorization erro

Thanks dude.... it was the frakin ACS... yes open source works better than
anything :) that is my plug for opensource..

reinstalled ACS and bingo.... no issue with anything now...

The take away of this post is -
if you see 'TEST aaa authentication working in IOS but user not
authenticating , need to re-install the ACS.
tried reinstalling it from the backup of initial factory config but that
didn't make any difference.

Sadiq - thanks for the heads up!

R2#
*Mar 8 12:31:58.955: AAA/MEMORY: free_user (0x46D58D0C) user='frog'
ruser='NULL' port='FastEthernet0/1' rem_addr='3.3.5.55' authen_type=ASCII
service=LOGIN priv=0 vrf= (id=0)
*Mar 8 12:32:12.771: AAA: parse name=FastEthernet0/1 idb type=-1 tty=-1
*Mar 8 12:32:12.771: AAA: name=FastEthernet0/1 flags=0x15 type=14 shelf=0
slot=0 adapter=0 port=1 channel=0
*Mar 8 12:32:12.771: AAA: parse name=<no string> idb type=-1 tty=-1
*Mar 8 12:32:12.771: AAA/MEMORY: create_user (0x46D557E8) user='NULL'
ruser='NULL' ds0=0 port='FastEthernet0/1' rem_addr='3.3.5.55'
authen_type=ASCII service=LOGIN priv=0 initial_task_id='0', vrf= (id=0)
*Mar 8 12:32:12.771: AAA/AUTHEN/START (2515472561): port='FastEthernet0/1'
list='default' action=LOGIN service=LOGIN
*Mar 8 12:32:12.771: AAA/AUTHEN/START (2515472561): found list default
*Mar 8 12:32:12.771: AAA/AUTHEN/START (2515472561): Method=tacacs+
(tacacs+)
*Mar 8 12:32:12.771: TAC+: send AUTHEN/START packet ver=192 id=-1779494735
*Mar 8 12:32:12.975: TAC+: ver=192 id=-1779494735 received AUTHEN status =
GETUSER
*Mar 8 12:32:12.975: AAA/AUTHEN(2515472561): Status=GETUSER
*Mar 8 12:32:12.975: AAA/AUTHEN/CONT (2515472561): continue_login
(user='(undef)')
*Mar 8 12:32:12.975: AAA/AUTHEN(2515472561): Status=GETUSER
*Mar 8 12:32:12.975: AAA/AUTHEN(2515472561): Method=tacacs+ (tacacs+)
*Mar 8 12:32:12.975: TAC+: send AUTHEN/CONT packet id=-1779494735
*Mar 8 12:32:13.175: TAC+: ver=192 id=-1779494735 received AUTHEN status =
GETPASS
*Mar 8 12:32:13.175: AAA/AUTHEN(2515472561): Status=GETPASS
*Mar 8 12:32:13.175: AAA/AUTHEN/CONT (2515472561): continue_login
(user='frog')
*Mar 8 12:32:13.175: AAA/AUTHEN(2515472561): Status=GETPASS
*Mar 8 12:32:13.175: AAA/AUTHEN(2515472561): Method=tacacs+ (tacacs+)
*Mar 8 12:32:13.175: TAC+: send AUTHEN/CONT packet id=-1779494735
*Mar 8 12:32:13.375: TAC+: ver=192 id=-1779494735 received AUTHEN status =
PASS
*Mar 8 12:32:13.375: AAA/AUTHEN(2515472561): Status=PASS
*Mar 8 12:32:13.579: TAC+: (-1688657998): received author response status =
PASS_ADD
R2#

On Tue, Mar 8, 2011 at 10:32 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:

> AUTH_PROXY only works with Cisco Secure ACS dude! :-) (just joking!)
>
> Anyway, the full running configuration would be more helpful in this
> situation... helps in understanding the scenario better.
>
> Thanks,
> Sadiq
>
> On Tue, Mar 8, 2011 at 11:18 AM, Radioactive Frog <pbhatkoti_at_gmail.com>wrote:
>
>> Folks,
>>
>> i have got
>> internet-----R2-fast0/0--------PC
>>
>> standard auth-proxy stuffs. But can't get authrization working. anyone
>> seen
>> this issue?
>>
>> It authenticates ok with freeRadiuis though :) a free linux based ACS
>> server.
>>
>> aaa new-model
>> aaa authentication login default group tacacs+
>> aaa authorization exec default group tacacs+ if-authenticated
>> aaa authorization auth-proxy default group tacacs+
>> aaa session-id common
>> ip http authentication aaa
>> int fas0/1
>> authproxy blah..
>>
>> test aaa works perfect:
>>
>> R2#
>> R2#test aaa gr tac
>> R2#test aaa gr tacacs+ frog frog l
>> Attempting authentication test to server-group tacacs+ using tacacs+
>> *User was successfully authenticated.
>> *
>> R2#
>>
>> ----------------this is what i get error when authproxy client try to
>> authorize-----
>>
>> *Mar 8 11:40:19.904: AAA/AUTHOR/HTTP: FastEthernet0/1(2596895044)
>> user='frog'
>> *Mar 8 11:40:19.904: FastEthernet0/1 AAA/AUTHOR/HTTP(2596895044): send AV
>> service=auth-proxy
>> *Mar 8 11:40:19.904: FastEthernet0/1 AAA/AUTHOR/HTTP(2596895044): send AV
>> cmd*
>> *Mar 8 11:40:19.904: FastEthernet0/1 AAA/AUTHOR/HTTP(2596895044): found
>> list "default"
>> *Mar 8 11:40:19.904: FastEthernet0/1 AAA/AUTHOR/HTTP(2596895044):
>> Method=tacacs+ (tacacs+)
>> *Mar 8 11:40:19.904: AAA/AUTHOR/TAC+: (2596895044): user=frog
>> *Mar 8 11:40:19.904: AAA/AUTHOR/TAC+: (2596895044): send AV
>> service=auth-proxy
>> *Mar 8 11:40:19.904: AAA/AUTHOR/TAC+: (2596895044): send AV cmd*
>> *Mar 8 11:40:20.108: AAA/AUTHOR (2596895044): Post authorization status =
>> FAIL
>> *Mar 8 11:40:20.108: AAA/MEMORY: free_user (0x46D52DD0) user='frog'
>> ruser='NULL' port='FastEthernet0/1' rem_addr='3.3.25.55' authen_type=ASCII
>> service=LOGIN priv=0 vrf= (id=0)
>>
>> according to cisco troubleshooting doco - this is exactly what is
>> happening.
>> Am I missing a tick somewhere in my ACS?
>> cisco doco says "profile is not setup for authorization" but it's exactly
>> done as:
>> 1. added new services in user or group 'auth-proxy'
>> 2. priv-lvl=15, proxyacl#1=permit ip any any
>> .
>>
>>
>>
>> http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800941b8.shtml
>>
>> TACACS User Enters Correct Username and Password but Fails Authorization
>>
>> *Debug shows:*
>>
>> 02:17:01: TAC+: ver=192 id=945629484 received AUTHEN status = PASS
>> 02:17:02: TAC+: (1368282367): received author response status = FAIL
>> 02:17:02: TAC+: Closing TCP/IP 0x61CAFFC8 connection to 171.68.118.115/49
>>
>> 02:17:02: AAA/AUTHOR (1368282367): Post authorization status = FAIL
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIEx2 (R&S|Sec) #19963

Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 08 2011 - 23:24:28 ART