5.2: Proxy authentication failing

Is anyone able to shed any light on why when I use a web browser to go past R1 (such as 150.1.5.5) I am met with "Authentication failed"?

Configuration would seem as per the answer key:

aaa authentication login default group tacacs+
aaa authorization auth-proxy default group tacacs+
ip tacacs source-interface Loopback0
tacacs-server host 10.0.0.100
tacacs-server directed-request
tacacs-server key CISCO
ip auth-proxy name AUTH_PROXY http
ip http server
ip http authentication aaa

interface Ethernet0/0
ip address 183.1.19.1 255.255.255.0
ip access-group VLAN19_IN in
ip auth-proxy AUTH_PROXY

ip access-list extended VLAN19_IN
deny tcp 183.1.19.0 0.0.0.255 any eq 135
permit ip any any

R1 can ping 10.0.0.100.

On the ACS server the router does exist as a network object, using loopback address 150.1.1.1 and password CISCO.

As per the answer key the auth-proxy custom attributes are

priv-lvl=15
proxyacl#1=permit tcp any any eq 135

The debugs I obtain from R1 are as follows (.200 being the test PC that is sitting on VLAN 19):

*Mar 1 07:56:55.980: AUTH-PROXY FUNC: auth_proxy_fast_path
*Mar 1 07:56:55.980: AUTH-PROXY auth_proxy_find_conn_info :
find srcaddr - 183.1.19.200, dstaddr - 150.1.5.5
ip-srcaddr 183.1.19.200
pak-srcaddr 0.0.0.0

*Mar 1 07:56:55.984: AUTH-PROXY FUNC: auth_proxy_process_path
*Mar 1 07:56:55.984: PSH ACK 836346979 SEQ 2048779827 LEN 455
*Mar 1 07:56:55.984: dst_addr 2516649221 src_addr 3070301128 dst_port 80 src_port 1111
*Mar 1 07:56:55.984: AUTH-PROXY auth_proxy_find_conn_info :
find srcaddr - 183.1.19.200, dstaddr - 150.1.5.5
ip-srcaddr 183.1.19.200
pak-srcaddr 0.0.0.0

*Mar 1 07:56:55.988: clientport 1111 state 0
*Mar 1 07:56:56.004: http_get_token: count=455, status=0

*Mar 1 07:56:56.004: HTTP: token len 4: 'POST'
*Mar 1 07:56:56.004: AUTH-PROXY FUNC: auth_proxy_find_cache_using_srcaddr
*Mar 1 07:56:56.004: AUTH-PROXY : auth_proxy_find_cache_using_srcaddr
find srcaddr - 183.1.19.200

This does not look the best:


r1#show tacacs

Tacacs+ Server : 10.0.0.100/49
Socket opens: 0
Socket closes: 0
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 9
Total Packets Sent: 0
Total Packets Recv: 0
No current connection

Anyone have any thoughts on what might produce these symptoms? Any advice appreciated.

Comments

  • What does the log say on the ACS itself? Does it succeed there?

    greez,
    airflow
  • I have found that ACS doesn´t have route to 150.1.1.1, so i just included this at ACS server:
    route add 150.1.1.1 mask 255.255.255.255 10.0.0.2
    Then the solution start working.
    You can test this trying to ping 150.1.1.1 from ACS before and after you include the route
  • A good solution for routing-issues with the ACS-Server is to enable RIP-Routing on the Windows-server and push the routes for the labs the the box via the routing-protocol. Just make sure to not accept default-routes on the machine. I did this and it saves the pain to adapt the routes from lab to lab.

    regards,
    airflow
Sign In or Register to comment.