Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

auth-proxy using TACACS+ not working after upgrade from IOS 15.0 to 15.1 or above

Symptoms

Using IOS 15.0 code, user is able to successfully use auth-proxy with TACACS+ and ACS 4.x. However as soon as the user upgrade his IOS to 15.1 and beyond, auth-proxy fails.

Conditions / Environment

  1. NAS device running IOS 15.1+
  2. auth-proxy using TACACS+

Cause / Problem Description

If you look at the 15.1 or 15.2 tacacs debugs you'll see the following:

265410: Jan 26 14:13:55 EST: TPLUS: processing authorization request id 59
265411: Jan 26 14:13:55 EST: TPLUS: Sending AV service=auth-proxy
265412: Jan 26 14:13:55 EST: TPLUS: Sending AV protocol=ip

However if you look at how the service is configured in the TACACS+ section of the interface configuration on the ACS you'll see that the protocol isn't specified:

20120206-213933_acs screen shot.png

It looks like the older 15.0 code didn't enforce the protocol for auth-proxy as strictly, whereas 15.1 and above does and thus the users faile auth-proxy.

Resolution

The fix for this is actually quite simple. You can just add ip under the protocol tab in the above section as shown below:

20120206-213933_acs screen shot.png

However the twist is that ACS doesn't just update the existing service, instead it creates a brand new service called "auth-proxy ip"(the older one was called just "auth-proxy"). So it fix this you need to go into each group which used to have "auth-proxy" enabled and enable "auth-proxy ip" for all of them, and copy over all the customer attributes so that it works exactly the same as before:

20120206-213930_auth-proxy ip.png

It's important to keep in mind, however, that until all NAS devices have been upgraded to 15.1+ code, it would be unwise to remove the old service.

Comments
Community Member
So, how to achieve the same thing in radius authorization profile for iOS 15.1 (auth-proxy ip). Helps appriciated.
1290
Views
0
Helpful
1
Comments