We have an internal HTTP website on the corporate LAN that is protected by an auth-proxy (HTTP). This all works and functions correctly when accessed internally from the corporate network.
We have an issue in that we have some home workers that connect to the corporate LAN via Cisco 827 ADSL routers. They can connect to the LAN correctly and use internal resources. However, when attempting to access this particular site that is protected by the auth-proxy after a brief pause a 400 error is returned to the browser.
Usually a 400 error refers to 'Bad Request'. Having performed some debugging on the router that is performing the auth-proxy, the actual username is being passed from the user browser to the proxy router, however nothing further happens apart from the error.
My question would be then, has anyone ever seen this issue, The captures don't seem to indicate much difference from internal and external users in terms of the data sent for authentication.
Is it possible that the ADSL router is somehow malforming the request which the proxy router then can not read ?
The odd thing is the auth-proxy access list that is being used for the corporate LAN users to the web server is the same as the one that the VPN users would use. This is because the PIX that they authenticate to for the VPN session performs static NAT (1 to 1, not shared) so that the VPN users appear as a corporate user, with a corporate IP address. This is why the situation seemed quite odd as if it works locally you'd expect it to work with VPN users that appear on the same LAN.
The access list on the 827 just allows everything from the client PC through the VPN tunnel, so nothing is being blocked here.
I'd only expect the VPN client to have to send the authentication details over to the router and then the router checks these against the radius server. As far as I am aware, there is no radius traffic that goes between the client and router or radius server ?
As mentioned previously, when debugging the router that performs the auth-proxy, I can see the username being sent through from the client, but I would then expect the router to make the ongoing radius authentication to the radius server. This doesn't happen with VPN users but the internal users the router authenticates the user with radius and all is ok.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.