Using IOS 15.0 code, user is able to successfully use auth-proxy with TACACS+ and ACS 4.x. However as soon as the user upgrade his IOS to 15.1 and beyond, auth-proxy fails.
Conditions / Environment
NAS device running IOS 15.1+
auth-proxy using TACACS+
Cause / Problem Description
If you look at the 15.1 or 15.2 tacacs debugs you'll see the following:
265410: Jan 26 14:13:55 EST: TPLUS: processing authorization request id 59 265411: Jan 26 14:13:55 EST: TPLUS: Sending AV service=auth-proxy 265412: Jan 26 14:13:55 EST: TPLUS: Sending AV protocol=ip
However if you look at how the service is configured in the TACACS+ section of the interface configuration on the ACS you'll see that the protocol isn't specified:
It looks like the older 15.0 code didn't enforce the protocol for auth-proxy as strictly, whereas 15.1 and above does and thus the users faile auth-proxy.
The fix for this is actually quite simple. You can just add ip under the protocol tab in the above section as shown below:
However the twist is that ACS doesn't just update the existing service, instead it creates a brand new service called "auth-proxy ip"(the older one was called just "auth-proxy"). So it fix this you need to go into each group which used to have "auth-proxy" enabled and enable "auth-proxy ip" for all of them, and copy over all the customer attributes so that it works exactly the same as before:
It's important to keep in mind, however, that until all NAS devices have been upgraded to 15.1+ code, it would be unwise to remove the old service.