VPN Users and HTTP auth-proxy

Unanswered Question
May 28th, 2007

We have an internal HTTP website on the corporate LAN that is protected by an auth-proxy (HTTP). This all works and functions correctly when accessed internally from the corporate network.

We have an issue in that we have some home workers that connect to the corporate LAN via Cisco 827 ADSL routers. They can connect to the LAN correctly and use internal resources. However, when attempting to access this particular site that is protected by the auth-proxy after a brief pause a 400 error is returned to the browser.

Usually a 400 error refers to 'Bad Request'. Having performed some debugging on the router that is performing the auth-proxy, the actual username is being passed from the user browser to the proxy router, however nothing further happens apart from the error.

My question would be then, has anyone ever seen this issue, The captures don't seem to indicate much difference from internal and external users in terms of the data sent for authentication.

Is it possible that the ADSL router is somehow malforming the request which the proxy router then can not read ?

Any assistance would be appreciated here.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Christian Osburg Tue, 06/05/2007 - 14:28

Hello Ash,

can you post the relevant auth-proxy Access List's for:

corporate LAN -> Web-Server

VPN network segment -> Web-Server

on the C827:

Home LAN -> VPN network segment

because I think, that any ACL kills the authentication signal or so.

Have the C827 all the same IOS Version? Maybe it's a IOS bug?

Kind regards,


PS: Somethimes my english isn't very good ;)

1arichardson Mon, 06/11/2007 - 01:24

Thanks for the reply Christian.

The odd thing is the auth-proxy access list that is being used for the corporate LAN users to the web server is the same as the one that the VPN users would use. This is because the PIX that they authenticate to for the VPN session performs static NAT (1 to 1, not shared) so that the VPN users appear as a corporate user, with a corporate IP address. This is why the situation seemed quite odd as if it works locally you'd expect it to work with VPN users that appear on the same LAN.

The access list on the 827 just allows everything from the client PC through the VPN tunnel, so nothing is being blocked here.

I'd only expect the VPN client to have to send the authentication details over to the router and then the router checks these against the radius server. As far as I am aware, there is no radius traffic that goes between the client and router or radius server ?

As mentioned previously, when debugging the router that performs the auth-proxy, I can see the username being sent through from the client, but I would then expect the router to make the ongoing radius authentication to the radius server. This doesn't happen with VPN users but the internal users the router authenticates the user with radius and all is ok.

Does that help to clarify things ?




This Discussion