Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

auth-proxy with MS IAS anyone?

Hello,

I am trying to setup authentication proxy for our internal network and need to integrate it with the AD user database. I have IAS radius configured with the av-pairs listed in the auth-proxy documentation and authentication is successful according to the http window and the debugging output of the router. But authorization doesn't work:

May 29 11:35:22.313: RADIUS(00000000): Send Access-Request to 172.16.1.1:1645 id 1645/7, len 92

May 29 11:35:22.313: RADIUS: authenticator 4E 04 9A CF 63 30 C7 EB - CB A3 17 E7 FA 78 66 00

May 29 11:35:22.313: RADIUS: NAS-IP-Address [4] 6 172.16.1.234

May 29 11:35:22.313: RADIUS: NAS-Port [5] 6 0

May 29 11:35:22.313: RADIUS: NAS-Port-Type [61] 6 Virtual [5]

May 29 11:35:22.313: RADIUS: User-Name [1] 17 "dummy"

May 29 11:35:22.313: RADIUS: Calling-Station-Id [31] 13 "172.16.1.74"

May 29 11:35:22.313: RADIUS: User-Password [2] 18 *

May 29 11:35:22.313: RADIUS: Service-Type [6] 6 Outbound [5]

May 29 11:35:22.321: RADIUS: Received from id 1645/7 172.16.1.1:1645, Access-Accept, len 163

May 29 11:35:22.321: RADIUS: authenticator 1A 7C 90 61 FE 2D 50 BD - 1B 5B 41 C1 1E 29 E1 B6

May 29 11:35:22.321: RADIUS: Vendor, Cisco [26] 32

May 29 11:35:22.321: RADIUS: Cisco AVpair [1] 26 ""auth-proxy:priv-lvl=15""

May 29 11:35:22.321: RADIUS: Vendor, Cisco [26] 49

May 29 11:35:22.321: RADIUS: Cisco AVpair [1] 43 ""auth-proxy:proxyacl#1=permit ip any any""

May 29 11:35:22.321: RADIUS: Service-Type [6] 6 Outbound [5]

May 29 11:35:22.321: RADIUS: Class [25] 32

May 29 11:35:22.321: RADIUS: 3F 71 04 D8 00 00 01 37 00 01 AC 10 01 01 01 C8 [?q?????7????????]

May 29 11:35:22.321: RADIUS: C0 00 8E 6D 73 8E 00 00 00 00 00 00 00 5B [???ms????????[]

May 29 11:35:22.321: RADIUS: Vendor, Microsoft [26] 12

May 29 11:35:22.321: RADIUS: MS-MPPE-Enc-Policy [7] 6

May 29 11:35:22.321: RADIUS: 00 00 00 01 [????]

May 29 11:35:22.321: RADIUS: Vendor, Microsoft [26] 12

May 29 11:35:22.321: RADIUS: MS-MPPE-Enc-Type [8] 6

May 29 11:35:22.321: RADIUS: 00 00 00 00 [????]

May 29 11:35:22.321: RADIUS: saved authorization data for user 48B7E5D8 at 4826F7E8

May 29 11:35:22.321: AAA/AUTHEN(2252561115): Status=PASS

May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): Port='GigabitEthernet0/0' list='default' service=AUTH-PROXY

May 29 11:35:22.325: AAA/AUTHOR/HTTP: GigabitEthernet0/0(620533465) user='dummy'

May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): send AV service=auth-proxy

May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): send AV cmd*

May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): found list "default"

May 29 11:35:22.325: GigabitEthernet0/0 AAA/AUTHOR/HTTP(620533465): Method=radius (radius)

May 29 11:35:22.325: RADIUS: cisco AVPair ""auth-proxy:priv-lvl=15""

May 29 11:35:22.325: RADIUS: cisco AVPair ""auth-proxy:proxyacl#1=permit ip any any""

May 29 11:35:22.325: Radius: unrecognized Vendor code 311

May 29 11:35:22.325: Radius: unrecognized Vendor code 311

May 29 11:35:22.325: AAA/AUTHOR (620533465): Post authorization status = PASS_ADD

Any idea what I needs doing?

Ta,

Doro

2 REPLIES
Gold

Re: auth-proxy with MS IAS anyone?

I don't have any good solutions for you. But you might want to cross post this to the AAA forum.

New Member

Re: auth-proxy with MS IAS anyone?

Ah, I got it to work in the meantime. For anyone interested:

I had IAS configured with Vendor specific attributes and selected vendor Cisco (and "" around the av-pairs). I changed it to Cisco-AV-pair attributes and no "" and now it works. Very nice!

Doro

478
Views
0
Helpful
2
Replies