From: Vivek Santuka (vivsan@gmail.com)
Date: Fri Jun 08 2007 - 09:51:32 ART
Peter,
I think the VSA which your are sending is not correct. The VSA Required is :
auth-proxy:priv-lvl=15
auth-proxy:proxyacl#1=permit icmp any any
The one which you mentioned is :
proxy-auth:priv-lvl=15
proxy-auth:proxyacl#1=permit icmp any any
Without proxy-auth priv-lvl 15 auth proxy will not work.
Regards,
Vivek Santuka
CCIE #17621 (Security)
On 6/8/07, Peter Svidler <doubleccie@yahoo.com> wrote:
>
> guys ;
> I am having really hard time to get auth proxy with radius done .
>
> ACS------pc------R1---lo--
>
> here is what im trying to do ,very simple senario , i want the PC to be
> able to ping loopback interface on R1 after getting authenticated by the ACS
> ,
> i enabled the http server on R1 , using Radius for authentication and
> enabled ip proxy-auth on the interface as configuration below
>
> first of all , I am not able to login unless i put (priv-lvl=15 without
> the auth-proxy:) ...when put only priv-lvl=15 im able to login ..but the ACL
> is not downloaded
>
> R1
> aaa authentication login default group radius
> aaa authorization exec default group radius
> aaa authorization auth-proxy default group radius
> !
> ip auth-proxy name AP http
> !
> interface Ethernet0/0
> ip address 10.1.1.1 255.255.255.0
> ip access-group DENY_ICMP in
> ip auth-proxy AP
> !
> ip access-list extended DENY_ICMP
> deny icmp any any
> permit ip any any
> !
> !
> radius-server host 10.1.1.125 auth-port 1645 acct-port 1646 key ciscovpn
> !
> ip http server
> ip http authentication aaa
> !
>
> on the ACS , I configured the R1 for Radius (cisco IOS) and enabled
> cisco-av-pair as
>
> proxy-auth:priv-lvl=15
> proxy-auth:proxyacl#1=permit icmp any any
>
> aslo tried
> priv-lvl=15
> proxy-auth:priv-lvl=15
> proxy-auth:proxyacl#1=permit icmp any any
>
> aslo tried
>
>
> priv-lvl=15
> proxy-auth:proxyacl#1=permit icmp any any
>
>
>
> here is some debug output
>
> Mar 1 02:24:20.140: RADIUS: Received from id 1645/11 10.1.1.125:1645,
> Access-
> Accept, len 119
> *Mar 1 02:24:20.140: RADIUS: authenticator 25 07 8E 52 82 BD F3 EB - 41
> 3E 8C
> 14 C8 62 EF 14
> *Mar 1 02:24:20.144: RADIUS: Vendor, Cisco [26] 19
> *Mar 1 02:24:20.144: RADIUS: Cisco AVpair [1] 13 "priv-lvl=15"
> *Mar 1 02:24:20.144: RADIUS: Vendor, Cisco [26] 49
> *Mar 1 02:24:20.144: RADIUS: Cisco AVpair [1]
> 43 "auth-proxy:proxyac
> l#1=permit icmp any any"
> *Mar 1 02:24:20.144: RADIUS: Framed-IP-Address [8] 6
> 255.255.255.255
> *Mar 1 02:24:20.144: RADIUS: Class [25] 25
> *Mar 1 02:24:20.148: RADIUS: 43 41 43 53 3A 30 2F 31 62 39 34 2F 63 64
> 30 35
> [CACS:0/1b94/cd05]
> *Mar 1 02:24:20.148: RADIUS: 30 31 30 31 2F 61 70
> [0101/ap]
> *Mar 1 02:24:20.148: RADIUS(00000000): Received from id 1645/11
> *Mar 1 02:24:20.152: RADIUS(00000000): Unique id not in use
> *Mar 1 02:24:20.152: RADIUS/DECODE(00000000): There is no RADIUS DB Some
> Radius
> attributes may not be stored
>
>
>
>
> what i am missing here , any help will be appreciated
>
>
>
>
>
>
>
>
>
> ---------------------------------
> You snooze, you lose. Get messages ASAP with AutoCheck
> in the all-new Yahoo! Mail Beta.
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:47 ART