05-29-2008 05:33 AM - edited 03-09-2019 08:48 PM
Hello,
I am trying to setup authentication proxy for our internal network and need to integrate it with the AD user database. I have IAS radius configured with the av-pairs listed in the auth-proxy documentation and authentication is successful according to the http window and the debugging output of the router. But authorization doesn't work:
May 29 11:35:22.313: RADIUS(00000000): Send Access-Request to 172.16.1.1:1645 id 1645/7, len 92
May 29 11:35:22.313: RADIUS: authenticator 4E 04 9A CF 63 30 C7 EB - CB A3 17 E7 FA 78 66 00
May 29 11:35:22.313: RADIUS: NAS-IP-Address [4] 6 172.16.1.234
May 29 11:35:22.313: RADIUS: NAS-Port [5] 6 0
May 29 11:35:22.313: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
May 29 11:35:22.313: RADIUS: User-Name [1] 17 "dummy"
May 29 11:35:22.313: RADIUS: Calling-Station-Id [31] 13 "172.16.1.74"
May 29 11:35:22.313: RADIUS: User-Password [2] 18 *
May 29 11:35:22.313: RADIUS: Service-Type [6] 6 Outbound [5]
May 29 11:35:22.321: RADIUS: Received from id 1645/7 172.16.1.1:1645, Access-Accept, len 163
May 29 11:35:22.321: RADIUS: authenticator 1A 7C 90 61 FE 2D 50 BD - 1B 5B 41 C1 1E 29 E1 B6
May 29 11:35:22.321: RADIUS: Vendor, Cisco [26] 32
May 29 11:35:22.321: RADIUS: Cisco AVpair [1] 26 ""auth-proxy:priv-lvl=15""
May 29 11:35:22.321: RADIUS: Vendor, Cisco [26] 49
May 29 11:35:22.321: RADIUS: Cisco AVpair [1] 43 ""auth-proxy:proxyacl#1=permit ip any any""
May 29 11:35:22.321: RADIUS: Service-Type [6] 6 Outbound [5]
May 29 11:35:22.321: RADIUS: Class [25] 32
May 29 11:35:22.321: RADIUS: 3F 71 04 D8 00 00 01 37 00 01 AC 10 01 01 01 C8 [?q?????7????????]
May 29 11:35:22.321: RADIUS: C0 00 8E 6D 73 8E 00 00 00 00 00 00 00 5B [???ms????????[]
May 29 11:35:22.321: RADIUS: Vendor, Microsoft [26] 12
May 29 11:35:22.321: RADIUS: MS-MPPE-Enc-Policy [7] 6
May 29 11:35:22.321: RADIUS: 00 00 00 01 [????]
May 29 11:35:22.321: RADIUS: Vendor, Microsoft [26] 12
May 29 11:35:22.321: RADIUS: MS-MPPE-Enc-Type [8] 6
May 29 11:35:22.321: RADIUS: 00 00 00 00 [????]
May 29 11:35:22.321: RADIUS: saved authorization data for user 48B7E5D8 at 4826F7E8
May 29 11:35:22.321: AAA/AUTHEN(2252561115): Status=PASS
May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): Port='GigabitEthernet0/0' list='default' service=AUTH-PROXY
May 29 11:35:22.325: AAA/AUTHOR/HTTP: GigabitEthernet0/0(620533465) user='dummy'
May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): send AV service=auth-proxy
May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): send AV cmd*
May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): found list "default"
May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): Method=radius (radius)
May 29 11:35:22.325: RADIUS: cisco AVPair ""auth-proxy:priv-lvl=15""
May 29 11:35:22.325: RADIUS: cisco AVPair ""auth-proxy:proxyacl#1=permit ip any any""
May 29 11:35:22.325: Radius: unrecognized Vendor code 311
May 29 11:35:22.325: Radius: unrecognized Vendor code 311
May 29 11:35:22.325: AAA/AUTHOR (620533465): Post authorization status = PASS_ADD
Any idea what I needs doing?
Ta,
Doro
05-29-2008 06:46 AM
I don't have any good solutions for you. But you might want to cross post this to the AAA forum.
05-29-2008 06:51 AM
Ah, I got it to work in the meantime. For anyone interested:
I had IAS configured with Vendor specific attributes and selected vendor Cisco (and "" around the av-pairs). I changed it to Cisco-AV-pair attributes and no "" and now it works. Very nice!
Doro
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide