Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
445
Views
0
Helpful
2
Replies

VPN Users and HTTP auth-proxy

1arichardson
Level 1
Level 1

‎05-28-2007 11:50 PM

We have an internal HTTP website on the corporate LAN that is protected by an auth-proxy (HTTP). This all works and functions correctly when accessed internally from the corporate network.

We have an issue in that we have some home workers that connect to the corporate LAN via Cisco 827 ADSL routers. They can connect to the LAN correctly and use internal resources. However, when attempting to access this particular site that is protected by the auth-proxy after a brief pause a 400 error is returned to the browser.

Usually a 400 error refers to 'Bad Request'. Having performed some debugging on the router that is performing the auth-proxy, the actual username is being passed from the user browser to the proxy router, however nothing further happens apart from the error.

My question would be then, has anyone ever seen this issue, The captures don't seem to indicate much difference from internal and external users in terms of the data sent for authentication.

Is it possible that the ADSL router is somehow malforming the request which the proxy router then can not read ?

Any assistance would be appreciated here.

Regards

Ash

Labels:
0 Helpful
2 Replies 2

Christian Osburg
Level 1
Level 1

‎06-05-2007 02:28 PM

Hello Ash,

can you post the relevant auth-proxy Access List's for:

corporate LAN -> Web-Server

VPN network segment -> Web-Server

on the C827:

Home LAN -> VPN network segment

because I think, that any ACL kills the authentication signal or so.

Have the C827 all the same IOS Version? Maybe it's a IOS bug?

Kind regards,

Christian

PS: Somethimes my english isn't very good ;)

0 Helpful

1arichardson
Level 1
Level 1
In response to Christian Osburg

‎06-11-2007 01:24 AM

Thanks for the reply Christian.

The odd thing is the auth-proxy access list that is being used for the corporate LAN users to the web server is the same as the one that the VPN users would use. This is because the PIX that they authenticate to for the VPN session performs static NAT (1 to 1, not shared) so that the VPN users appear as a corporate user, with a corporate IP address. This is why the situation seemed quite odd as if it works locally you'd expect it to work with VPN users that appear on the same LAN.

The access list on the 827 just allows everything from the client PC through the VPN tunnel, so nothing is being blocked here.

I'd only expect the VPN client to have to send the authentication details over to the router and then the router checks these against the radius server. As far as I am aware, there is no radius traffic that goes between the client and router or radius server ?

As mentioned previously, when debugging the router that performs the auth-proxy, I can see the username being sent through from the client, but I would then expect the router to make the ongoing radius authentication to the radius server. This doesn't happen with VPN users but the internal users the router authenticates the user with radius and all is ok.

Does that help to clarify things ?

Thanks

Ash

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents