Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help with Auth-Proxy

Hi,

I am trying to do Auth-Proxy with a Cisco router running 12.4(7) and Secure ACS Solution Engine 3.3.3.11.

The router is configured as

+++++++++++++++++++++

aaa group server tacacs+ aus-nac-group-tacacs

server-private 10.190.99.26 key xx

ip tacacs source-interface GigabitEthernet0/0.99

aaa authentication login default group aus-nac-group-tacacs

aaa authentication login telnet group tacacs+ local

aaa authentication eou default group aus-nac-group

aaa authorization exec default group aus-nac-group-tacacs

aaa authorization exec telnet group tacacs+ if-authenticated

aaa authorization commands 1 telnet group tacacs+ if-authenticated

aaa authorization commands 15 telnet group tacacs+ if-authenticated

aaa authorization auth-proxy default group aus-nac-group-tacacs

aaa accounting exec default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

aaa authorization auth-proxy default group aus-nac-group-tacacs

ip auth-proxy name test-auth telnet inactivity-time 5 list nac-test-trigger_acl

++++++++++++++++++++++++

On the secure ACS a new service is defined as "auth-proxy".

In the user-profile the auth-proxy box is checked and Custom-Attributes are defined as

+++++++++++++++++++++++++++

priv-lvl=15

proxyacl#1="permit tcp any host 198.133.219.27"

+++++++++++++++++++++++++++++

However when user initiates a connection, the user authentication succeeds but Authorization fails and the following message is shown on ACS

++++++++++++++

Service denied

service=auth-proxy protocol=ip

++++++++++++++

Any idea what could be going wrong here ?

Thanks,

Naman

2 REPLIES
New Member

Re: Help with Auth-Proxy

I had the same problem. You can try to change the custom attribute from

proxyacl#1="permit tcp any host 198.133.219.27"

to

proxyacl#1=permit ip any host 198.133.219.27

If that succeeds, you can begin finetuning the access--list until it does what it is supposed to do.

Hope it helps.

Eduardo

New Member

Re: Help with Auth-Proxy

I will give it a shot. Though exactly the same ACL format works when i use RADIUS protocol instead of TACACS+..!

Regards,

Naman

154
Views
0
Helpful
2
Replies
CreatePlease login to create content