From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Fri Jun 08 2007 - 10:08:13 ART
Peter, your configuration on your Radius server should be:
auth-proxy:priv-lvl=15
auth-proxy:proxyacl#1=permit icmp any any
and not "proxy-auth"
Have a look at:
http://www.cisco.com/warp/public/793/ios_fw/auth_intro.html
Regards
Farrukh
On 6/8/07, Peter Svidler <doubleccie@yahoo.com> wrote:
> guys ;
> I am having really hard time to get auth proxy with radius done .
>
> ACS------pc------R1---lo--
>
> here is what im trying to do ,very simple senario , i want the PC to be able to ping loopback interface on R1 after getting authenticated by the ACS ,
> i enabled the http server on R1 , using Radius for authentication and enabled ip proxy-auth on the interface as configuration below
>
> first of all , I am not able to login unless i put (priv-lvl=15 without the auth-proxy:) ...when put only priv-lvl=15 im able to login ..but the ACL is not downloaded
>
> R1
> aaa authentication login default group radius
> aaa authorization exec default group radius
> aaa authorization auth-proxy default group radius
> !
> ip auth-proxy name AP http
> !
> interface Ethernet0/0
> ip address 10.1.1.1 255.255.255.0
> ip access-group DENY_ICMP in
> ip auth-proxy AP
> !
> ip access-list extended DENY_ICMP
> deny icmp any any
> permit ip any any
> !
> !
> radius-server host 10.1.1.125 auth-port 1645 acct-port 1646 key ciscovpn
> !
> ip http server
> ip http authentication aaa
> !
>
> on the ACS , I configured the R1 for Radius (cisco IOS) and enabled cisco-av-pair as
>
> proxy-auth:priv-lvl=15
> proxy-auth:proxyacl#1=permit icmp any any
>
> aslo tried
> priv-lvl=15
> proxy-auth:priv-lvl=15
> proxy-auth:proxyacl#1=permit icmp any any
>
> aslo tried
>
>
> priv-lvl=15
> proxy-auth:proxyacl#1=permit icmp any any
>
>
>
> here is some debug output
>
> Mar 1 02:24:20.140: RADIUS: Received from id 1645/11 10.1.1.125:1645, Access-
> Accept, len 119
> *Mar 1 02:24:20.140: RADIUS: authenticator 25 07 8E 52 82 BD F3 EB - 41 3E 8C
> 14 C8 62 EF 14
> *Mar 1 02:24:20.144: RADIUS: Vendor, Cisco [26] 19
> *Mar 1 02:24:20.144: RADIUS: Cisco AVpair [1] 13 "priv-lvl=15"
> *Mar 1 02:24:20.144: RADIUS: Vendor, Cisco [26] 49
> *Mar 1 02:24:20.144: RADIUS: Cisco AVpair [1] 43 "auth-proxy:proxyac
> l#1=permit icmp any any"
> *Mar 1 02:24:20.144: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
> *Mar 1 02:24:20.144: RADIUS: Class [25] 25
> *Mar 1 02:24:20.148: RADIUS: 43 41 43 53 3A 30 2F 31 62 39 34 2F 63 64 30 35
> [CACS:0/1b94/cd05]
> *Mar 1 02:24:20.148: RADIUS: 30 31 30 31 2F 61 70
> [0101/ap]
> *Mar 1 02:24:20.148: RADIUS(00000000): Received from id 1645/11
> *Mar 1 02:24:20.152: RADIUS(00000000): Unique id not in use
> *Mar 1 02:24:20.152: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius
> attributes may not be stored
>
>
>
>
> what i am missing here , any help will be appreciated
>
>
>
>
>
>
>
>
>
> ---------------------------------
> You snooze, you lose. Get messages ASAP with AutoCheck
> in the all-new Yahoo! Mail Beta.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:47 ART