IOS Authentication Proxy Local AAA task

Dears,

I am using ios authentication proxy using local router database and did the same config of the solution on the router. I am using Cisco2821 with the ios c2800nm-advipservicesk9-mz.151-4.M5.bin

Here is my config:

##########################################################

aaa new-model

!

aaa authentication login default local

aaa authorization auth-proxy default local

!

aaa attribute list AUTH-LIST

 attribute type proxyacl "deny icmp any any" service auth-proxy

!

ip auth-proxy name LOCAL telnet inactivity-time 60 absolute-timer 120 list AUTH-ACL

ip auth-proxy name LOCAL http inactivity-time 60 absolute-timer 120 list AUTH-ACL

!

username AUTH-USER password 0 AUTH-USER

username AUTH-USER aaa attribute list AUTH-LIST

!

interface GigabitEthernet0/0

 ip access-group DEFAULT-ACL in

 ip auth-proxy LOCAL

!

ip access-list extended AUTH-ACL

 permit tcp any host 192.168.101.100

ip access-list extended DEFAULT-ACL

 deny   ip any any

!

################################################################

I tried to telnet 192.168.101.100 and http://192.168.101.100 using an internal IP, but in both cases i receive authentication failed. Username and password are correct. I also tried another username/password combination and i am still facing the same issue. How can i troubleshoot the cause of the problem? Is there any specific IOS that it works with?

Comments

  • Hi,

       You know that username/passwords are case-sensitive, right? Post the output from "debug aaa authentication" and "debug aaa attr".

    Regards,

    Cristian.

  • Hi Cristian,
    I already tried many users (case sensitive).

    Once i add the command "ip auth-proxy name LOCAL http absolute-timer 120 list AUTH-ACL", http authentication works fine. My problem is only in telnet connection. Here are the debugs below when i am using a user called proxy with password proxy with a test on GNS3.

    Please check below the debugs:

    *Mar  1 00:04:47.447: AAA/ATTR(00000003): new list: 0x66B04048

    *Mar  1 00:04:47.451: AAA/ATTR(00000003): cursor init: 65AA9AB8 66B04048 none none

    *Mar  1 00:04:47.451: AAA/ATTR(00000003): find: port-type(178): not found

    *Mar  1 00:04:47.451: AAA/ATTR(00000003): add attr: 66B04058 0 00000001 port-type(178) 4 Async

    *Mar  1 00:04:47.455: AAA/BIND(00000003): Bind i/f

    *Mar  1 00:04:47.455: AAA/ATTR(00000003): new list: 0x65B4F610

    *Mar  1 00:04:47.455: AAA/ATTR(00000003): add attr: 65B4F620 0 00000001 session-id(336) 4 1(1)

    *Mar  1 00:04:47.459: AAA/AUTHEN/LOGIN (00000003): Pick method list 'default'

    *Mar  1 00:04:47.459: AAA/ATTR(00000003): copy lists

    *Mar  1 00:04:47.463: AAA/ATTR(00000003): new list: 0x65B4F734 old list: 66B04048

    *Mar  1 00:04:47.463: AAA/ATTR(00000003): new list: 0x65B4F858

    *Mar  1 00:04:47.463: AAA/ATTR(00000003): add attr: 65B4F868 0 00000009 username(365) 5 proxy

    *Mar  1 00:04:47.467: AAA/ATTR(00000003): add attr: 65B4F878 0 0000000A clid(28) 12 192.168.1.66

    *Mar  1 00:04:47.471: AAA/ATTR(00000003): cursor init: 65EA9668 66B04048 none none

    *Mar  1 00:04:47.471: AAA/ATTR(00000003): find: dnis(59): not found

    *Mar  1 00:04:47.471: AAA/ATTR(00000003): find: clid(28): not found

    *Mar  1 00:04:47.475: AAA/ATTR(00000003): cursor init: 669E8160 65B4F858 none unknown

    *Mar  1 00:04:47.475: AAA/ATTR(00000003): find: 65B4F868 0 00000009 username(365) 5 proxy

    *Mar  1 00:04:47.479: AAA/ATTR(00000003): add attr: 65B4F888 0 00000009 reply-message(216) 10 Password:

    *Mar  1 00:04:47.479: AAA/ATTR(00000003): add attr: 65B4F898 0 00000009 password(255) 5 70 72 6F 78 79

    *Mar  1 00:04:47.483: AAA/ATTR(00000003): cursor init: 65EA9668 66B04048 none none

    *Mar  1 00:04:47.483: AAA/ATTR(00000003): find: dnis(59): not found

    *Mar  1 00:04:47.483: AAA/ATTR(00000003): find: clid(28): not found

    *Mar  1 00:04:47.487: AAA/ATTR(00000003): cursor init: 669E8160 65B4F858 none unknown

    *Mar  1 00:04:47.487: AAA/ATTR(00000003): find: 65B4F868 0 00000009 username(365) 5 proxy

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): cursor init: 669E8160 65B4F858 none unknown

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): find: 65B4F898 0 00000009 password(255) 5 70 72 6F 78 79

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): free all lists: 0x65B4F858

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): del attr: 65B4F868 0 00000009 username(365) 5 proxy

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): del attr: 65B4F878 0 0000000A clid(28) 12 192.168.1.66

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): del attr: 65B4F888 0 00000009 reply-message(216) 10 Password:

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): del attr: 65B4F898 0 00000009 password(255) 5 70 72 6F 78 79

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): copy lists

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): new list: 0x65F31304 old list: 66B04048

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): new list: 0x65F31428

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): add attr: 65F31438 0 00000009 username(365) 5 proxy

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): free all lists: 0x65B4F734

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): del attr: 65B4F744 0 00000001 port-type(178) 4 Async

    *Mar  1 00:04:47.495: AAA/ATTR(00000003): cursor init: 669E82A8 65F31428 none unknown

    *Mar  1 00:04:47.495: AAA/ATTR(00000003): find: 65F31438 0 00000009 username(365) 5 proxy

    *Mar  1 00:04:47.495: AAA/ATTR(00000000): copy lists

    *Mar  1 00:04:47.495: AAA/ATTR(00000000): new list: 0x66B0416C old list: 66C0F1AC

    *Mar  1 00:04:47.495: AAA/ATTR(00000003): add attr: 65F31448 0 00000001 priv-lvl(269) 4 1(1)

    *Mar  1 00:04:47.495: AAA/ATTR(00000003): cursor init: 667BC660 65F31428 none unknown

    *Mar  1 00:04:47.495: AAA/ATTR(00000003): find: 65F31448 0 00000001 priv-lvl(269) 4 1(1)

    *Mar  1 00:04:47.495: AAA/ATTR(00000003): free all lists: 0x65F31428

    *Mar  1 00:04:47.495: AAA/ATTR(00000003): del attr: 65F31438 0 00000009 username(365) 5 proxy

    *Mar  1 00:04:47.499: AAA/ATTR(00000003): del attr: 65F31448 0 00000001 priv-lvl(269) 4 1(1)0x66B0416C

    *Mar  1 00:04:47.499: AAA/ATTR(00000003): del attr: 66B0417C 0 0000000A proxyacl(272) 17 deny icmp any any

    *Mar  1 00:04:47.499: AAA/ATTR(00000003): free all lists: 0x65F31304

    *Mar  1 00:04:47.499: AAA/ATTR(00000003): del attr: 65F31314 0 00000001 port-type(178) 4 Async


    Here is the config on GNS3:



    aaa new-model

    !

    !

    aaa authentication login default local

    aaa authorization auth-proxy default local

    !

    aaa attribute list ATT

     attribute type proxyacl "deny icmp any any" service auth-proxy

    !

    ip auth-proxy name AUTH telnet inactivity-time 60 list TCP

    ip auth-proxy name AUTH http inactivity-time 60 list TCP

    !

    interface FastEthernet0/1

     ip address 192.168.1.200 255.255.255.0

     ip access-group DENY in

     ip auth-proxy AUTH

    !

    ip http server

    ip http authentication aaa

    !

    ip access-list extended DENY

     deny   ip any any

    ip access-list extended TCP

     permit tcp any host 10.10.10.1

    !

    image

  • Hi Cristian,
    I am testing the task with GNS3 now and it is still not working with telnet but with HTTP it is working fine now.

    He#e is the config below:

    ##############################################
    aaa new-model

    !

    !

    aaa authentication login default local

    aaa authorization auth-proxy default local

    !

    aaa attribute list ATT

     attribute type proxyacl "deny icmp any any" service auth-proxy

    !

    ip auth-proxy name AUTH telnet inactivity-time 60 list TCP

    ip auth-proxy name AUTH http inactivity-time 60 list TCP

    !

    interface FastEthernet0/1

     ip address 192.168.1.200 255.255.255.0

     ip access-group DENY in

     ip auth-proxy AUTH

    !

    ip http server

    ip http authentication aaa

    !

    ip access-list extended DENY

     deny   ip any any

    ip access-list extended TCP

     permit tcp any host 10.10.10.1

    !

    ##########################################

     

    Please note that the router's IP address that i am connecting to is 10.10.10.1/24 and i am using a PC from the range 192.168.1.0/24

    Regarding telnet, here is the debugs output:

    ########################################################################

    *Mar  1 00:04:47.447: AAA/ATTR(00000003): new list: 0x66B04048

    *Mar  1 00:04:47.451: AAA/ATTR(00000003): cursor init: 65AA9AB8 66B04048 none none

    *Mar  1 00:04:47.451: AAA/ATTR(00000003): find: port-type(178): not found

    *Mar  1 00:04:47.451: AAA/ATTR(00000003): add attr: 66B04058 0 00000001 port-type(178) 4 Async

    *Mar  1 00:04:47.455: AAA/BIND(00000003): Bind i/f

    *Mar  1 00:04:47.455: AAA/ATTR(00000003): new list: 0x65B4F610

    *Mar  1 00:04:47.455: AAA/ATTR(00000003): add attr: 65B4F620 0 00000001 session-id(336) 4 1(1)

    *Mar  1 00:04:47.459: AAA/AUTHEN/LOGIN (00000003): Pick method list 'default'

    *Mar  1 00:04:47.459: AAA/ATTR(00000003): copy lists

    *Mar  1 00:04:47.463: AAA/ATTR(00000003): new list: 0x65B4F734 old list: 66B04048

    *Mar  1 00:04:47.463: AAA/ATTR(00000003): new list: 0x65B4F858

    *Mar  1 00:04:47.463: AAA/ATTR(00000003): add attr: 65B4F868 0 00000009 username(365) 5 proxy

    *Mar  1 00:04:47.467: AAA/ATTR(00000003): add attr: 65B4F878 0 0000000A clid(28) 12 192.168.1.66

    *Mar  1 00:04:47.471: AAA/ATTR(00000003): cursor init: 65EA9668 66B04048 none none

    *Mar  1 00:04:47.471: AAA/ATTR(00000003): find: dnis(59): not found

    *Mar  1 00:04:47.471: AAA/ATTR(00000003): find: clid(28): not found

    *Mar  1 00:04:47.475: AAA/ATTR(00000003): cursor init: 669E8160 65B4F858 none unknown

    *Mar  1 00:04:47.475: AAA/ATTR(00000003): find: 65B4F868 0 00000009 username(365) 5 proxy

    *Mar  1 00:04:47.479: AAA/ATTR(00000003): add attr: 65B4F888 0 00000009 reply-message(216) 10 Password:

    *Mar  1 00:04:47.479: AAA/ATTR(00000003): add attr: 65B4F898 0 00000009 password(255) 5 70 72 6F 78 79

    *Mar  1 00:04:47.483: AAA/ATTR(00000003): cursor init: 65EA9668 66B04048 none none

    *Mar  1 00:04:47.483: AAA/ATTR(00000003): find: dnis(59): not found

    *Mar  1 00:04:47.483: AAA/ATTR(00000003): find: clid(28): not found

    *Mar  1 00:04:47.487: AAA/ATTR(00000003): cursor init: 669E8160 65B4F858 none unknown

    *Mar  1 00:04:47.487: AAA/ATTR(00000003): find: 65B4F868 0 00000009 username(365) 5 proxy

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): cursor init: 669E8160 65B4F858 none unknown

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): find: 65B4F898 0 00000009 password(255) 5 70 72 6F 78 79

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): free all lists: 0x65B4F858

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): del attr: 65B4F868 0 00000009 username(365) 5 proxy

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): del attr: 65B4F878 0 0000000A clid(28) 12 192.168.1.66

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): del attr: 65B4F888 0 00000009 reply-message(216) 10 Password:

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): del attr: 65B4F898 0 00000009 password(255) 5 70 72 6F 78 79

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): copy lists

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): new list: 0x65F31304 old list: 66B04048

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): new list: 0x65F31428

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): add attr: 65F31438 0 00000009 username(365) 5 proxy

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): free all lists: 0x65B4F734

    *Mar  1 00:04:47.491: AAA/ATTR(00000003): del attr: 65B4F744 0 00000001 port-type(178) 4 Async

    *Mar  1 00:04:47.495: AAA/ATTR(00000003): cursor init: 669E82A8 65F31428 none unknown

    *Mar  1 00:04:47.495: AAA/ATTR(00000003): find: 65F31438 0 00000009 username(365) 5 proxy

    *Mar  1 00:04:47.495: AAA/ATTR(00000000): copy lists

    *Mar  1 00:04:47.495: AAA/ATTR(00000000): new list: 0x66B0416C old list: 66C0F1AC

    *Mar  1 00:04:47.495: AAA/ATTR(00000003): add attr: 65F31448 0 00000001 priv-lvl(269) 4 1(1)

    *Mar  1 00:04:47.495: AAA/ATTR(00000003): cursor init: 667BC660 65F31428 none unknown

    *Mar  1 00:04:47.495: AAA/ATTR(00000003): find: 65F31448 0 00000001 priv-lvl(269) 4 1(1)

    *Mar  1 00:04:47.495: AAA/ATTR(00000003): free all lists: 0x65F31428

    *Mar  1 00:04:47.495: AAA/ATTR(00000003): del attr: 65F31438 0 00000009 username(365) 5 proxy

    *Mar  1 00:04:47.499: AAA/ATTR(00000003): del attr: 65F31448 0 00000001 priv-lvl(269) 4 1(1)0x66B0416C

    *Mar  1 00:04:47.499: AAA/ATTR(00000003): del attr: 66B0417C 0 0000000A proxyacl(272) 17 deny icmp any any

    *Mar  1 00:04:47.499: AAA/ATTR(00000003): free all lists: 0x65F31304

    *Mar  1 00:04:47.499: AAA/ATTR(00000003): del attr: 65F31314 0 00000001 port-type(178) 4 Async

    ###################################################################################

  • Hi,

       The output looks good, proxyacl seems to be applied for the session, what is the output of "show ip auth-proxy cache username XXXX" once you authenticate via telnet? And can you actually initiate traffic afterwards? Do you have any special configs on the VTY lines? Without auth-proxy can you just telnet to the router and authenticate with the same username?

    Regards,

    Cristian.

  • Dear Cristian,

    This feature looks crazy :)

    I now tried the same config on my 2800 router and both telnet and http are not working while on GNS3 http is working and telnet is not. It seems a bug issue. I can also telnet to the router if i remove the ACL and auth-proxy rule from the router interface. I even memorized the configurations steps because i tried it more than 10 times :D

    Here is my config and the show ip auth-proxy cache username proxy. Please note that my source ip address is 10.255.255.2 and the destination that i am trying to telnet/http is 192.168.101.100.

    ############################################

    aaa new-model

    !

    !

    aaa authentication login default local

    aaa authorization auth-proxy default local

    !

    aaa attribute list att

     attribute type proxyacl "deny icmp any any" service auth-proxy

    !

    !

    !

    !

    !

    aaa session-id common

    !

    !

    dot11 syslog

    ip source-route

    ip auth-proxy name auth-proxy telnet inactivity-time 60 list tcp

    ip auth-proxy name auth-proxy http inactivity-time 60 list tcp

    !

    !

    ip cef

    !

    !

    !

    no ipv6 cef

    !

    multilink bundle-name authenticated

    !

    !

    !

    !

    !

    !

    !

    !

    !

    !

    !

    voice-card 0

    !

    crypto pki token default removal timeout 0

    !

    !

    !

    !

    license udi pid CISCO2821 sn FHK0902F3XF

    username proxy password 0 proxy

    username proxy aaa attribute list att

    !

    redundancy

    !

    !

    !

    !

    !

    !

    !

    !

    !

    !

    interface GigabitEthernet0/0

     ip address 10.255.255.1 255.255.255.0

     ip access-group deny in

     ip auth-proxy auth-proxy

     duplex auto

     speed 100

    !

    interface GigabitEthernet0/1

     ip address 192.168.101.34 255.255.255.0

     duplex auto

     speed auto

    !

    ip forward-protocol nd

    ip http server

    ip http authentication aaa

    no ip http secure-server

    !

    !

    ip route 0.0.0.0 0.0.0.0 192.168.101.100

    !

    ip access-list extended deny

     deny   ip any any

    ip access-list extended tcp

     permit tcp any host 192.168.101.100

    !

    !

    !

    !

    !

    !

    !

    !

    !

    control-plane

    !

    !

    !

    !

    mgcp profile default

    !

    !

    !

    !

    !

    !

    line con 0

    line aux 0

    line vty 0 4

     transport input all

    !

    scheduler allocate 20000 1000

    end

     

    ############################################

     

    Router#sh ip auth-proxy cache username proxy

    Authentication Proxy Cache

     

    User Name               : proxy

    Client IP               : 10.255.255.2

    Client Port             : 65195

    Timeout                 : 60

    Time  Remaining         : 60

    Connection state        : INIT

     

    EPM information : Authproxy

     

    EOU information

    -------------------------------------------------------------------------

    Address         Interface              AuthType   Posture-Token Age(min)

    -------------------------------------------------------------------------

     

     

    EPM information : EOU

     

     

    Existing Firewall Sessions Information:

     

    Router#

     

     

     

  • Hi,

       Officially and historically, auth-proxy requires the authenticating user to have privilege level of 15; newer IOS codes seem to no longer have this restriction, but it seems inconsistent. Try setting priv level 15 for the user, it should wotk, hopefully, as there are no errors on debugs.

    Regards,

    Cristian.

  • Hi Cristian,

    Finally it is working fine with local IOS :) Thank you so much for all the information in this post.
    I will also test it with radius and tacacs by assigning privilege 15 to user to see if it will work or not.

    Thanks again for assisting me in solving the problem :)

  • Hi Cristian,
    I just tested it with RADIUS, but it seems that only with proxy-ACL it is working fine with adding the RADIUS-Cisco attribute cisco-av-pair shell:priv-lvl=15. However, for DACL and Filter-ID ACLs it is not working:

    With DACL, i cannot see anything related to it in the debug aaa attribute. With Fitler-ID ACL, i can see it in the attribute but it is not applied on the interface.

    On ACS, i followed the same steps in the workbook.

    It seems this features depends on ios version.

    Here is my router config:

     

    ####################################################

    aaa new-model

    !

    aaa authentication login default group radius

    aaa authentication login CON none

    aaa authorization network default group radius

    aaa authorization auth-proxy default group radius

    !

    !

    ip auth-proxy name auth telnet inactivity-time 60 list tcp

    ip auth-proxy name auth http inactivity-time 60 list tcp

    !

    !

    interface GigabitEthernet0/0

     ip address 10.255.255.1 255.255.255.0

     ip access-group deny in

     ip auth-proxy auth

     duplex auto

     speed 100

    !

    interface GigabitEthernet0/1

     ip address 172.30.31.200 255.255.255.0

     duplex auto

     speed auto

    !

    !

    ip access-list extended deny

     deny   ip any any

    ip access-list extended tcp

     permit tcp any host 172.30.31.20

    ip access-list extended user2

     permit tcp any any

    !

    !

    radius-server attribute 6 on-for-login-auth

    radius-server attribute 11 default direction in

    radius-server host 172.30.31.1 key cisco

    radius-server vsa send authentication

    !

    !

    !

    line con 0

     privilege level 15

     login authentication CON

    line vty 0 4

     transport input all

    #####################################
  • Hi,

       So assigning privilege level 15 may or not be required, based on the IOS code; however the privilege level is additional to the ACL authorization (which can be dacl, filter-id or proxy-acl). You're saying that it works for procy-acl but not for dacl and filter-id? Upload the output from "debug aaa authentication" for both dacl and filter-id; debug aaa attr is only used for when local authorization is beeing used.

    Regards,

    Cristian.

  • Hi Cristian,

    As i understand from your previous comment is that we have to add privilege 15 to user when using either tacacs or radius with auth-proxy. Please correct me if i amw rong.

    Regarding DACL, it is now working fine and i can see it using sh ip auth-proxy username user1 command and in show access-list

    Regarding filter-id, it is still not working. I made some debugs and i can see that ACL "user2" is applied to user but i cannot see it on the router. It is displayed using "debug aaa attr"

    Here is my configuration and the debug output.

    #####################################

    sh run:

    #####

    Building configuration...

     

     

    Current configuration : 1666 bytes

    !

    ! Last configuration change at 08:53:27 UTC Thu Feb 27 2014

    version 15.1

    service timestamps debug datetime msec

    service timestamps log datetime msec

    no service password-encryption

    !

    hostname Router

    !

    boot-start-marker

    boot-end-marker

    !

    !

    !

    aaa new-model

    !

    !

    aaa authentication login default group radius

    aaa authorization network default group radius

    aaa authorization auth-proxy default group radius

    !

    !

    !

    !

    !

    aaa session-id common

    !

    !

    dot11 syslog

    ip source-route

    ip auth-proxy name auth telnet inactivity-time 60 list tcp

    ip auth-proxy name auth http inactivity-time 60 list tcp

    !

    !

    ip cef

    !

    !

    !

    no ipv6 cef

    !

    multilink bundle-name authenticated

    !

    !

    !

    !

    !

    !

    !

    !

    !

    !

    !

    voice-card 0

    !

    crypto pki token default removal timeout 0

    !

    !

    !

    !

    license udi pid CISCO2821 sn FHK0902F3XF

    !

    redundancy

    !

    !

    !

    !

    !

    !

    !

    !

    !

    !

    interface GigabitEthernet0/0

     ip address 10.255.255.1 255.255.255.0

     ip access-group deny in

     ip auth-proxy auth

     duplex auto

     speed 100

    !

    interface GigabitEthernet0/1

     ip address 172.30.31.200 255.255.255.0

     duplex auto

     speed auto

    !

    ip forward-protocol nd

    no ip http server

    no ip http secure-server

    !

    !

    !

    ip access-list extended deny

     deny   ip any any

    ip access-list extended tcp

     permit tcp any host 172.30.31.20

    ip access-list extended user2

     permit tcp any any

    !

    !

    !

    !

    !

    !

    radius-server attribute 6 on-for-login-auth

    radius-server attribute 11 default direction in

    radius-server vsa send authentication

    !

    radius server RAD

     address ipv4 172.30.31.1 auth-port 1645 acct-port 1646

     key cisco

    !

    !

    !

    control-plane

    !

    !

    !

    !

    mgcp profile default

    !

    !

    !

    !

    !

    !

    line con 0

    line aux 0

    line vty 0 4

     transport input all

    !

    scheduler allocate 20000 1000

    end

     

    #####################################

    show commands output:

    #################

    Router#sh epm se

    Router#sh epm session ip 10.255.255.2

    Admission feature       : Authproxy

    AAA Policies            :

    Router#sh ip auth-proxy cache username user2

    Authentication Proxy Cache

    User Name               : user2

    Client IP               : 10.255.255.2

    Client Port             : 57647

    Timeout                 : 60

    Time  Remaining         : 48

    Connection state        : ESTAB

     

    EPM information : Authproxy

    Admission feature       : Authproxy

    AAA Policies            :

     

    EOU information

    -------------------------------------------------------------------------

    Address         Interface              AuthType   Posture-Token Age(min)

    -------------------------------------------------------------------------

     

    EPM information : EOU

     

    Existing Firewall Sessions Information:


    sh access-li

    Extended IP access list deny

        10 deny ip any any (2231 matches)

    Extended IP access list tcp

        10 permit tcp any host 172.30.31.20 (12 matches)

    Extended IP access list user2

        10 permit tcp any any

    Router#sh access-li

    Extended IP access list deny

        10 deny ip any any (2267 matches)

    Extended IP access list tcp

        10 permit tcp any host 172.30.31.20 (12 matches)

    Extended IP access list user2

        10 permit tcp any any

    Router#sh access-li

    Extended IP access list deny

        10 deny ip any any (2268 matches)

    Extended IP access list tcp

        10 permit tcp any host 172.30.31.20 (12 matches)

    Extended IP access list user2

        10 permit tcp any any

    Router#sh access-li

    Extended IP access list deny

        10 deny ip any any (2268 matches)

    Extended IP access list tcp

        10 permit tcp any host 172.30.31.20 (12 matches)

    Extended IP access list user2

        10 permit tcp any any

    Router#

    #####################################

    Debugs:

    ######

    =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.02.27 11:48:03 =~=~=~=~=~=~=~=~=~=~=~=

     

    *Feb 27 08:58:04.591: AAA/ATTR(00000013): new list: 0x4AFC686C handle: 0x7D00002C

    *Feb 27 08:58:04.591: AAA/ATTR(00000013): new sublist: 0x4AFD6868

    *Feb 27 08:58:04.591: AAA/ATTR(00000013): cursor init: 4B010930 4AFC686C none none

    *Feb 27 08:58:04.591: AAA/ATTR(00000013): find: 

    *Feb 27 08:58:04.591: AAA/ATTR(00000013): sublist(0x4AFD6868)->index(0x000000FF) handle(0x7D00002C)port-type(214): not found

    *Feb 27 08:58:04.591: AAA/ATTR(00000013): add attr: sublist(0x4AFD6868) index(0): 4AFD6870 0 00000001 port-type(214) 4 Async

    *Feb 27 08:58:04.591: AAA/BIND(00000013): Bind i/f  

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): new list: 0x4AFC6880 handle: 0x5100002D

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): new sublist: 0x4AFD67B0

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): add attr: sublist(0x4AFD67B0) index(0): 4AFD67B8 0 00000001 session-id(397) 4 6(6)

    *Feb 27 08:58:04.595: AAA/AUTHEN/AUTH-PROXY (00000013): Pick method list 'default' 

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): copy lists

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): new list: 0x4AFC6830 handle: 0x3500002E

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): new sublist: 0x4AFD6754 new sublist: 4AFD6754

    *Feb 27 08:58:04.595: copy lists: src sublist(0x4AFD6868) index(0)

    *Feb 27 08:58:04.595: copy lists: dst sublist(0x4AFD6754) index(0)

    *Feb 27 08:58:04.595: copy lists: attr type: 214

    *Feb 27 08:58:04.595: AAA/ATTR(00000000): new list: 0x4AFC6858 handle: 0x2C00002F

    *Feb 27 08:58:04.595: AAA/ATTR(00000000): new sublist: 0x4AFD66F8

    *Feb 27 08:58:04.595: AAA/ATTR(00000000): add attr: sublist(0x4AFD66F8) index(0): 4AFD6700 0 00000009 username(435) 5 user2

    *Feb 27 08:58:04.595: AAA/ATTR(00000000): add attr: sublist(0x4AFD66F8) index(1): 4AFD6710 0 00000009 password(309) 5 <opaque value>

    *Feb 27 08:58:04.595: AAA/ATTR(00000000): add attr: sublist(0x4AFD66F8) index(2): 4AFD6720 0 00000009 clid(37) 12 10.255.255.2

    *Feb 27 08:58:04.595: AAA/ATTR(00000000): add attr: sublist(0x4AFD66F8) index(3): 4AFD6730 0 00000001 addr(8) 4 10.255.255.2

    *Feb 27 08:58:04.595: AAA/ATTR(00000000): add attr: sublist(0x4AFD66F8) index(4): 4AFD6740 0 00000001 service-type(333) 4 Outbound

    *Feb 27 08:58:04.595: AAA/ATTR(00000000): new sublist: 0x4AFD680C

    *Feb 27 08:58:04.595: AAA/ATTR(00000000): add attr: sublist(0x4AFD680C) index(0): 4AFD6814 0 00000009 Message-Authenticator(263) 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

    *Feb 27 08:58:04.595: AAA/ATTR(00000000): cursor init: 4B010AA0 4AFC6858 none none

    *Feb 27 08:58:04.595: AAA/ATTR(00000000): find: 

    *Feb 27 08:58:04.595: AAA/ATTR(00000000): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)4AFD6710 0 00000009 password(309) 5 <opaque value>

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): cursor init: 4B010A88 4AFC6858 none none

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): find: 

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)4AFD6710 0 00000009 password(309) 5 <opaque value>

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): cursor init: 49669780 4AFC6858 none unknown

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): find: 

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)4AFD6700 0 00000009 username(435) 5 user2

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): cursor init: 49669780 4AFC6858 none unknown

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): find: 

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)4AFD6710 0 00000009 password(309) 5 <opaque value>

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): cursor init: 49669818 4AFC6858 none unknown

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): find: 

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)4AFD6700 0 00000009 username(435) 5 user2

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): cursor init: 49669818 4AFC6858 none unknown

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): find: 

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)4AFD6700 0 00000009 username(435) 5 user2

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): cursor init: 49669798 4AFC6858 none unknown

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): find: 

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)app-key(890): not found

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): find: 

    *Feb 27 08:58:04.595: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)random-nonce(891): not found

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): find: 

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)message-authenticator-code(892): not found

    *Feb 27 08:58:04.599: RADIUS/ENCODE(00000013):Orig. component type = Auth Proxy

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): cursor init: 496694E0 4AFC6858 none none

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): find: 

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)formatted-clid(38): not found

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): find: 

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)4AFD6720 0 00000009 clid(37) 12 10.255.255.2

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): find: 

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)clid-mac-addr(43): not found

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): cursor init: 49669708 4AFC6858 none none

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): find next matching service=none, protocol=none

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): next attr: sublist(0x4AFD66F8) index(4): 4AFD6700 0 00000009 username(435) 5 user2

    *Feb 27 08:58:04.599: AAA/ATTR(00000013):  username ok

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): find next matching service=none, protocol=none

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): next attr: sublist(0x4AFD66F8) index(4): 4AFD6710 0 00000009 password(309) 5 <opaque value>

    *Feb 27 08:58:04.599: AAA/ATTR(00000013):  password ok

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): find next matching service=none, protocol=none

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): next attr: sublist(0x4AFD66F8) index(4): 4AFD6720 0 00000009 clid(37) 12 10.255.255.2

    *Feb 27 08:58:04.599: AAA/ATTR(00000013):  clid ok

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): find next matching service=none, protocol=none

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): next attr: sublist(0x4AFD66F8) index(4): 4AFD6730 0 00000001 addr(8) 4 10.255.255.2

    *Feb 27 08:58:04.599: AAA/ATTR(00000013):  addr ok

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): find next matching service=none, protocol=none

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): next attr: sublist(0x4AFD66F8) index(4): 4AFD6740 0 00000001 service-type(333) 4 Outbound

    *Feb 27 08:58:04.599: AAA/ATTR(00000013):  service-type ok

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): find next matching service=none, protocol=none

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): sublist(0x4AFD66F8)->index(0x00000004) handle(0x2C00002F)

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): next attr: sublist(0x4AFD680C) index(0): 4AFD6814 0 00000009 Message-Authenticator(263) 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

    *Feb 27 08:58:04.599: AAA/ATTR(00000013):  Message-Authenticator ok

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): find next matching service=none, protocol=none

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): sublist(0x4AFD680C)->index(0x00000000) handle(0x2C00002F)

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): not found

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): cursor init: 49669708 4AFC6830 none none

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): find next matching service=none, protocol=none

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): sublist(0x4AFD6754)->index(0x00000000) handle(0x3500002E)

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): next attr: sublist(0x4AFD6754) index(0): 4AFD675C 0 00000001 port-type(214) 4 Async

    *Feb 27 08:58:04.599: AAA/ATTR(00000013):  port-type ok

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): find next matching service=none, protocol=none

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): sublist(0x4AFD6754)->index(0x00000000) handle(0x3500002E)

    *Feb 27 08:58:04.599: AAA/ATTR(00000013): not found

    *Feb 27 08:58:04.599: RADIUS(00000013): Config NAS IP: 0.0.0.0

    *Feb 27 08:58:04.599: RADIUS(00000013): Config NAS IPv6: ::

    *Feb 27 08:58:04.599: RADIUS/ENCODE: Best Local IP-Address 172.30.31.200 for Radius-Server 172.30.31.1

    *Feb 27 08:58:04.599: RADIUS(00000013): Sending a IPv4 Radius Packet

    *Feb 27 08:58:04.603: RADIUS(00000013): Started 5 sec timeout

    *Feb 27 08:58:04.615: RADIUS: Received from id 1645/10 172.30.31.1:1645, Access-Accept, len 102

    *Feb 27 08:58:04.615: AAA/ATTR(00000013): free list: 0x4AFC6858 handle: 0x2C00002F

    *Feb 27 08:58:04.615: AAA/ATTR(00000013): del attr: sublist(0x4AFD66F8) index(0): 4AFD6700 0 00000009 username(435) 5 user2

    *Feb 27 08:58:04.615: AAA/ATTR(00000013): del attr: sublist(0x4AFD66F8) index(1): 4AFD6710 0 00000009 password(309) 5 <opaque value>

    *Feb 27 08:58:04.615: AAA/ATTR(00000013): del attr: sublist(0x4AFD66F8) index(2): 4AFD6720 0 00000009 clid(37) 12 10.255.255.2

    *Feb 27 08:58:04.619: AAA/ATTR(00000013): del attr: sublist(0x4AFD66F8) index(3): 4AFD6730 0 00000001 addr(8) 4 10.255.255.2

    *Feb 27 08:58:04.619: AAA/ATTR(00000013): del attr: sublist(0x4AFD66F8) index(4): 4AFD6740 0 00000001 service-type(333) 4 Outbound

    *Feb 27 08:58:04.619: AAA/ATTR(00000013): del attr: sublist(0x4AFD680C) index(0): 4AFD6814 0 00000009 Message-Authenticator(263) 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

    *Feb 27 08:58:04.619: AAA/ATTR(00000013): new list: 0x4AFC6858 handle: 0x95000030

    *Feb 27 08:58:04.619: AAA/ATTR(00000013): new sublist: 0x4AFD680C

    *Feb 27 08:58:04.619: AAA/ATTR(00000013): cursor init: 4AE854B8 4AFC6858 none none

    *Feb 27 08:58:04.619: AAA/ATTR(00000000): add attr: sublist(0x4AFD680C) index(0): 4AFD6814 0 00000009 username(435) 5 user2

    *Feb 27 08:58:04.619: AAA/ATTR(00000000): add attr: sublist(0x4AFD680C) index(1): 4AFD6824 0 00000009 inacl(145) 5 user2

    *Feb 27 08:58:04.619: AAA/ATTR(00000013): new list: 0x4AFC6844 handle: 0xD3000031

    *Feb 27 08:58:04.619: AAA/ATTR(00000013): new sublist: 0x4AFD66F8

    *Feb 27 08:58:04.619: AAA/ATTR(00000000): add attr: sublist(0x4AFD680C) index(2): 4AFD6834 0 00000009 Message-Authenticator(263) 16 87 C7 F3 8F 5F 13 31 AB E6 91 B8 E9 BA 35 3A 59 

    *Feb 27 08:58:04.619: AAA/ATTR(00000000): add attr: sublist(0x4AFD680C) index(3): 4AFD6844 0 00000001 priv-lvl(324) 4 15(F)

    *Feb 27 08:58:04.619: AAA/ATTR(00000000): find: 

    *Feb 27 08:58:04.619: AAA/ATTR(00000000): sublist(0x4AFD680C)->index(0x00000003) handle(0x95000030)4AFD6844 0 00000001 priv-lvl(324) 4 15(F)

    *Feb 27 08:58:04.619: AAA/ATTR(00000000): sublist(0x4AFD680C)->index(0x00000003) handle(0x95000030)

    *Feb 27 08:58:04.619: AAA/ATTR(00000000): copy lists

    *Feb 27 08:58:04.619: AAA/ATTR(00000000): new list: 0x4AFC6894 handle: 0x80000032

    *Feb 27 08:58:04.619: AAA/ATTR(00000000): new sublist: 0x4AFD669C new sublist: 4AFD669C

    *Feb 27 08:58:04.619: copy lists: src sublist(0x4AFD680C) index(3)

    *Feb 27 08:58:04.619: copy lists: dst sublist(0x4AFD669C) index(3)

    *Feb 27 08:58:04.619: copy lists: attr type: 435

    *Feb 27 08:58:04.619: copy lists: attr type: 145

    *Feb 27 08:58:04.619: copy lists: attr type: 263

    *Feb 27 08:58:04.619: copy lists: attr type: 324

    *Feb 27 08:58:04.619: AAA/ATTR(00000013): free list: 0x4AFC6858 handle: 0x95000030

    *Feb 27 08:58:04.619: AAA/ATTR(00000013): del attr: sublist(0x4AFD680C) index(0): 4AFD6814 0 00000009 username(435) 5 user2

    *Feb 27 08:58:04.619: AAA/ATTR(00000013): del attr: sublist(0x4AFD680C) index(1): 4AFD6824 0 00000009 inacl(145) 5 user2

    *Feb 27 08:58:04.619: AAA/ATTR(00000013): del attr: sublist(0x4AFD680C) index(2): 4AFD6834 0 00000009 Message-Authenticator(263) 16 87 C7 F3 8F 5F 13 31 AB E6 91 B8 E9 BA 35 3A 59 

    *Feb 27 08:58:04.619: AAA/ATTR(00000013): del attr: sublist(0x4AFD680C) index(3): 4AFD6844 0 00000001 priv-lvl(324) 4 15(F)

    *Feb 27 08:58:04.619: AAA/ATTR(00000013): free list: 0x4AFC6830 handle: 0x3500002E

    *Feb 27 08:58:04.619: AAA/ATTR(00000013): del attr: sublist(0x4AFD6754) index(0): 4AFD675C 0 00000001 port-type(214) 4 Async

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): find: 

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): sublist(0x4AFD669C)->index(0x00000003) handle(0x80000032)tag-name(839): not found

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): find next matching service=none, protocol=none

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): sublist(0x4AFD669C)->index(0x00000003) handle(0x80000032)

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): next attr: sublist(0x4AFD669C) index(3): 4AFD66A4 0 00000009 username(435) 5 user2

    *Feb 27 08:58:04.623: AAA/ATTR(00000000):  username ok

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): find next matching service=none, protocol=none

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): sublist(0x4AFD669C)->index(0x00000003) handle(0x80000032)

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): next attr: sublist(0x4AFD669C) index(3): 4AFD66B4 0 00000009 inacl(145) 5 user2

    *Feb 27 08:58:04.623: AAA/ATTR(00000000):  inacl ok

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): find next matching service=none, protocol=none

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): sublist(0x4AFD669C)->index(0x00000003) handle(0x80000032)

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): next attr: sublist(0x4AFD669C) index(3): 4AFD66C4 0 00000009 Message-Authenticator(263) 16 87 C7 F3 8F 5F 13 31 AB E6 91 B8 E9 BA 35 3A 59 

    *Feb 27 08:58:04.623: AAA/ATTR(00000000):  Message-Authenticator ok

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): find next matching service=none, protocol=none

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): sublist(0x4AFD669C)->index(0x00000003) handle(0x80000032)

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): next attr: sublist(0x4AFD669C) index(3): 4AFD66D4 0 00000001 priv-lvl(324) 4 15(F)

    *Feb 27 08:58:04.623: AAA/ATTR(00000000):  priv-lvl service:shell ok

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): find next matching service=none, protocol=none

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): sublist(0x4AFD669C)->index(0x00000003) handle(0x80000032)

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): not found

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): find next matching service=none, protocol=none

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): sublist(0x4AFD669C)->index(0x00000003) handle(0x80000032)

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): next attr: sublist(0x4AFD669C) index(3): 4AFD66A4 0 00000009 username(435) 5 user2

    *Feb 27 08:58:04.623: AAA/ATTR(00000000):  username ok

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): sublist(0x4AFD669C)->index(0x00000003) handle(0x80000032)

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): find next matching service=none, protocol=none

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): sublist(0x4AFD669C)->index(0x00000003) handle(0x80000032)

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): next attr: sublist(0x4AFD669C) index(3): 4AFD66B4 0 00000009 inacl(145) 5 user2

    *Feb 27 08:58:04.623: AAA/ATTR(00000000):  inacl ok

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): find next matching service=none, protocol=none

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): sublist(0x4AFD669C)->index(0x00000003) handle(0x80000032)

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): next attr: sublist(0x4AFD669C) index(3): 4AFD66C4 0 00000009 Message-Authenticator(263) 16 87 C7 F3 8F 5F 13 31 AB E6 91 B8 E9 BA 35 3A 59 

    *Feb 27 08:58:04.623: AAA/ATTR(00000000):  Message-Authenticator ok

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): find next matching service=none, protocol=none

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): sublist(0x4AFD669C)->index(0x00000003) handle(0x80000032)

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): next attr: sublist(0x4AFD669C) index(3): 4AFD66D4 0 00000001 priv-lvl(324) 4 15(F)

    *Feb 27 08:58:04.623: AAA/ATTR(00000000):  priv-lvl service:shell ok

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): find next matching service=none, protocol=none

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): sublist(0x4AFD669C)->index(0x00000003) handle(0x80000032)

    *Feb 27 08:58:04.623: AAA/ATTR(00000000): not found

    *Feb 27 08:58:04.627: AAA/ATTR(00000013): free list: 0x4AFC6880 handle: 0x5100002D

    *Feb 27 08:58:04.627: AAA/ATTR(00000013): del attr: sublist(0x4AFD67B0) index(0): 4AFD67B8 0 00000001 session-id(397) 4 6(6)

    *Feb 27 08:58:04.627: AAA/ATTR(00000013): free list: 0x4AFC6844 handle: 0xD3000031

    *Feb 27 08:58:04.627: AAA/ATTR(00000013): free list: 0x4AFC686C handle: 0x7D00002C

    *Feb 27 08:58:04.627: AAA/ATTR(00000013): del attr: sublist(0x4AFD6868) index(0): 4AFD6870 0 00000001 port-type(214) 4 Async

    Router#

    Router#un all

    #####################################

     

    Please advise.

     

  • Hi,

       In general if you want help, tha provide me with what i request. So i need the output from "debug aaa authentication", it is more relevant. If it doesn't work, configure the acl on the RADIUS server as "user2.in" to signal the inbound direction, and leave the ACL name on the router as "user2".

     

    Regards,

    Cristian.

  • Hi Cristian,

    I am sorry for the misunderstanding, here is the output of debug aaa authentication.

    *Feb 28 07:01:38.131: AAA/BIND(00000017): Bind i/f

    *Feb 28 07:01:38.135: AAA/AUTHEN/AUTH-PROXY (00000017): Pick method list 'default'

    Also i tried user2.in on ACS with leaving the same ACL on router but it is still the same.

     

  • jchanjchan ✭✭

    Hi, I was doing the same task using IOS c7200-adventerprisek9-mz.152-4.M4 on GNS3, this feature is not working, I tried both "ip auth-proxy" and new command "ip admission", IOS accepted the commands but it is not doing anything, telent to host defined on auth-proxy ACL fail, no login prompt, no debug output either.  may be a bug on this IOS.

    Fallback to use IOS c3725-adventerprisek9-mz.124-15.T10, it works but I need to add "privilege 15" to username AUTH-USER, if not, the authentication will fail, debug output reveals that "privilege 15" is needed as shown below.

    Mar  1 00:18:37.279: AUTH-PROXY:ap_passwd:carr ret seen D
    *Mar  1 00:18:37.279: AUTH-PROXY:ap_passwd:newline seen A
    *Mar  1 00:18:37.283: AUTH-PROXY:Authenticating user AUTH-USER
    *Mar  1 00:18:37.287: AUTH-PROXY:Sent AAA request successfully
    *Mar  1 00:18:37.291: AUTH-PROXY: Sent password successfully
    *Mar  1 00:18:37.295: AUTH-PROXY: Authorization request sent successfully
    *Mar  1 00:18:37.303: AUTH-PROXY:processing authorization data
    *Mar  1 00:18:37.303: AUTH-PROXY: Insufficient privilege level
    *Mar  1 00:18:37.307: AUTH-PROXY:wait complete on watched boolean stat=1
    *Mar  1 00:18:37.311: AUTH-PROXY:decremented proxy_proc_count=0
    *Mar  1 00:18:38.271: AUTH-PROXY:Session state is INIT.Not updating stats

    HTH

  • Hi,

        So i;m not sure what the problem was on the 15.2(M) code, without having the configuration and some debug output. Otherwise, it really depends on the IOS cide if you need or not to configure the priv-lvl, to be on the safe-side just configure it.

    Regards,

    Cristian.

Sign In or Register to comment.