auth-proxy with MS IAS anyone?

lascumbres · ‎05-29-2008

Hello,

I am trying to setup authentication proxy for our internal network and need to integrate it with the AD user database. I have IAS radius configured with the av-pairs listed in the auth-proxy documentation and authentication is successful according to the http window and the debugging output of the router. But authorization doesn't work:

May 29 11:35:22.313: RADIUS(00000000): Send Access-Request to 172.16.1.1:1645 id 1645/7, len 92

May 29 11:35:22.313: RADIUS: authenticator 4E 04 9A CF 63 30 C7 EB - CB A3 17 E7 FA 78 66 00

May 29 11:35:22.313: RADIUS: NAS-IP-Address [4] 6 172.16.1.234

May 29 11:35:22.313: RADIUS: NAS-Port [5] 6 0

May 29 11:35:22.313: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

May 29 11:35:22.313: RADIUS: User-Name [1] 17 "dummy"

May 29 11:35:22.313: RADIUS: Calling-Station-Id [31] 13 "172.16.1.74"

May 29 11:35:22.313: RADIUS: User-Password [2] 18 *

May 29 11:35:22.313: RADIUS: Service-Type [6] 6 Outbound [5]

May 29 11:35:22.321: RADIUS: Received from id 1645/7 172.16.1.1:1645, Access-Accept, len 163

May 29 11:35:22.321: RADIUS: authenticator 1A 7C 90 61 FE 2D 50 BD - 1B 5B 41 C1 1E 29 E1 B6

May 29 11:35:22.321: RADIUS: Vendor, Cisco [26] 32

May 29 11:35:22.321: RADIUS: Cisco AVpair [1] 26 ""auth-proxy:priv-lvl=15""

May 29 11:35:22.321: RADIUS: Vendor, Cisco [26] 49

May 29 11:35:22.321: RADIUS: Cisco AVpair [1] 43 ""auth-proxy:proxyacl#1=permit ip any any""

May 29 11:35:22.321: RADIUS: Service-Type [6] 6 Outbound [5]

May 29 11:35:22.321: RADIUS: Class [25] 32

May 29 11:35:22.321: RADIUS: 3F 71 04 D8 00 00 01 37 00 01 AC 10 01 01 01 C8 [?q?????7????????]

May 29 11:35:22.321: RADIUS: C0 00 8E 6D 73 8E 00 00 00 00 00 00 00 5B [???ms????????[]

May 29 11:35:22.321: RADIUS: Vendor, Microsoft [26] 12

May 29 11:35:22.321: RADIUS: MS-MPPE-Enc-Policy [7] 6

May 29 11:35:22.321: RADIUS: 00 00 00 01 [????]

May 29 11:35:22.321: RADIUS: Vendor, Microsoft [26] 12

May 29 11:35:22.321: RADIUS: MS-MPPE-Enc-Type [8] 6

May 29 11:35:22.321: RADIUS: 00 00 00 00 [????]

May 29 11:35:22.321: RADIUS: saved authorization data for user 48B7E5D8 at 4826F7E8

May 29 11:35:22.321: AAA/AUTHEN(2252561115): Status=PASS

May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): Port='GigabitEthernet0/0' list='default' service=AUTH-PROXY

May 29 11:35:22.325: AAA/AUTHOR/HTTP: GigabitEthernet0/0(620533465) user='dummy'

May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): send AV service=auth-proxy

May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): send AV cmd*

May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): found list "default"

May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): Method=radius (radius)

May 29 11:35:22.325: RADIUS: cisco AVPair ""auth-proxy:priv-lvl=15""

May 29 11:35:22.325: RADIUS: cisco AVPair ""auth-proxy:proxyacl#1=permit ip any any""

May 29 11:35:22.325: Radius: unrecognized Vendor code 311

May 29 11:35:22.325: AAA/AUTHOR (620533465): Post authorization status = PASS_ADD

Any idea what I needs doing?

Ta,

Doro

srue · ‎05-29-2008

I don't have any good solutions for you. But you might want to cross post this to the AAA forum.

lascumbres · ‎05-29-2008

Ah, I got it to work in the meantime. For anyone interested:

I had IAS configured with Vendor specific attributes and selected vendor Cisco (and "" around the av-pairs). I changed it to Cisco-AV-pair attributes and no "" and now it works. Very nice!

Doro