05-29-2008 05:33 AM - edited 03-09-2019 08:48 PM
Hello,
I am trying to setup authentication proxy for our internal network and need to integrate it with the AD user database. I have IAS radius configured with the av-pairs listed in the auth-proxy documentation and authentication is successful according to the http window and the debugging output of the router. But authorization doesn't work:
May 29 11:35:22.313: RADIUS(00000000): Send Access-Request to 172.16.1.1:1645 id 1645/7, len 92
May 29 11:35:22.313: RADIUS: authenticator 4E 04 9A CF 63 30 C7 EB - CB A3 17 E7 FA 78 66 00
May 29 11:35:22.313: RADIUS: NAS-IP-Address [4] 6 172.16.1.234
May 29 11:35:22.313: RADIUS: NAS-Port [5] 6 0
May 29 11:35:22.313: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
May 29 11:35:22.313: RADIUS: User-Name [1] 17 "dummy"
May 29 11:35:22.313: RADIUS: Calling-Station-Id [31] 13 "172.16.1.74"
May 29 11:35:22.313: RADIUS: User-Password [2] 18 *
May 29 11:35:22.313: RADIUS: Service-Type [6] 6 Outbound [5]
May 29 11:35:22.321: RADIUS: Received from id 1645/7 172.16.1.1:1645, Access-Accept, len 163
May 29 11:35:22.321: RADIUS: authenticator 1A 7C 90 61 FE 2D 50 BD - 1B 5B 41 C1 1E 29 E1 B6
May 29 11:35:22.321: RADIUS: Vendor, Cisco [26] 32
May 29 11:35:22.321: RADIUS: Cisco AVpair [1] 26 ""auth-proxy:priv-lvl=15""
May 29 11:35:22.321: RADIUS: Vendor, Cisco [26] 49
May 29 11:35:22.321: RADIUS: Cisco AVpair [1] 43 ""auth-proxy:proxyacl#1=permit ip any any""
May 29 11:35:22.321: RADIUS: Service-Type [6] 6 Outbound [5]
May 29 11:35:22.321: RADIUS: Class [25] 32
May 29 11:35:22.321: RADIUS: 3F 71 04 D8 00 00 01 37 00 01 AC 10 01 01 01 C8 [?q?????7????????]
May 29 11:35:22.321: RADIUS: C0 00 8E 6D 73 8E 00 00 00 00 00 00 00 5B [???ms????????[]
May 29 11:35:22.321: RADIUS: Vendor, Microsoft [26] 12
May 29 11:35:22.321: RADIUS: MS-MPPE-Enc-Policy [7] 6
May 29 11:35:22.321: RADIUS: 00 00 00 01 [????]
May 29 11:35:22.321: RADIUS: Vendor, Microsoft [26] 12
May 29 11:35:22.321: RADIUS: MS-MPPE-Enc-Type [8] 6
May 29 11:35:22.321: RADIUS: 00 00 00 00 [????]
May 29 11:35:22.321: RADIUS: saved authorization data for user 48B7E5D8 at 4826F7E8
May 29 11:35:22.321: AAA/AUTHEN(2252561115): Status=PASS
May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): Port='GigabitEthernet0/0' list='default' service=AUTH-PROXY
May 29 11:35:22.325: AAA/AUTHOR/HTTP: GigabitEthernet0/0(620533465) user='dummy'
May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): send AV service=auth-proxy
May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): send AV cmd*
May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): found list "default"
May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): Method=radius (radius)
May 29 11:35:22.325: RADIUS: cisco AVPair ""auth-proxy:priv-lvl=15""
May 29 11:35:22.325: RADIUS: cisco AVPair ""auth-proxy:proxyacl#1=permit ip any any""
May 29 11:35:22.325: Radius: unrecognized Vendor code 311
May 29 11:35:22.325: Radius: unrecognized Vendor code 311
May 29 11:35:22.325: AAA/AUTHOR (620533465): Post authorization status = PASS_ADD
Any idea what I needs doing?
Ta,
Doro
05-29-2008 06:46 AM
I don't have any good solutions for you. But you might want to cross post this to the AAA forum.
05-29-2008 06:51 AM
Ah, I got it to work in the meantime. For anyone interested:
I had IAS configured with Vendor specific attributes and selected vendor Cisco (and "" around the av-pairs). I changed it to Cisco-AV-pair attributes and no "" and now it works. Very nice!
Doro
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: