5.2: Proxy authentication failing

Is anyone able to shed any light on why when I use a web browser to go past R1 (such as I am met with "Authentication failed"?

Configuration would seem as per the answer key:

aaa authentication login default group tacacs+
aaa authorization auth-proxy default group tacacs+
ip tacacs source-interface Loopback0
tacacs-server host
tacacs-server directed-request
tacacs-server key CISCO
ip auth-proxy name AUTH_PROXY http
ip http server
ip http authentication aaa

interface Ethernet0/0
ip address
ip access-group VLAN19_IN in
ip auth-proxy AUTH_PROXY

ip access-list extended VLAN19_IN
deny tcp any eq 135
permit ip any any

R1 can ping

On the ACS server the router does exist as a network object, using loopback address and password CISCO.

As per the answer key the auth-proxy custom attributes are

proxyacl#1=permit tcp any any eq 135

The debugs I obtain from R1 are as follows (.200 being the test PC that is sitting on VLAN 19):

*Mar 1 07:56:55.980: AUTH-PROXY FUNC: auth_proxy_fast_path
*Mar 1 07:56:55.980: AUTH-PROXY auth_proxy_find_conn_info :
find srcaddr -, dstaddr -

*Mar 1 07:56:55.984: AUTH-PROXY FUNC: auth_proxy_process_path
*Mar 1 07:56:55.984: PSH ACK 836346979 SEQ 2048779827 LEN 455
*Mar 1 07:56:55.984: dst_addr 2516649221 src_addr 3070301128 dst_port 80 src_port 1111
*Mar 1 07:56:55.984: AUTH-PROXY auth_proxy_find_conn_info :
find srcaddr -, dstaddr -

*Mar 1 07:56:55.988: clientport 1111 state 0
*Mar 1 07:56:56.004: http_get_token: count=455, status=0

*Mar 1 07:56:56.004: HTTP: token len 4: 'POST'
*Mar 1 07:56:56.004: AUTH-PROXY FUNC: auth_proxy_find_cache_using_srcaddr
*Mar 1 07:56:56.004: AUTH-PROXY : auth_proxy_find_cache_using_srcaddr
find srcaddr -

This does not look the best:

r1#show tacacs

Tacacs+ Server :
Socket opens: 0
Socket closes: 0
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 9
Total Packets Sent: 0
Total Packets Recv: 0
No current connection

Anyone have any thoughts on what might produce these symptoms? Any advice appreciated.


Sign In or Register to comment.