https://community.cisco.com/t5/network-access-control/help-with-auth-proxy/m-p/590895#M427396 <HTML><HEAD></HEAD><BODY><P>I had the same problem. You can try to change the custom attribute from</P><P> proxyacl#1="permit tcp any host 198.133.219.27" </P><P>to</P><P>proxyacl#1=permit ip any host 198.133.219.27</P><P>If that succeeds, you can begin finetuning the access--list until it does what it is supposed to do.</P><P>Hope it helps.</P><P></P><P>Eduardo </P></BODY></HTML> Sun, 23 Apr 2006 02:40:46 GMT e-alvarez 2006-04-23T02:40:46Z https://community.cisco.com/t5/network-access-control/help-with-auth-proxy/m-p/590894#M427393 <P>Hi,</P><P>I am trying to do Auth-Proxy with a Cisco router running 12.4(7) and Secure ACS Solution Engine 3.3.3.11.</P><P>The router is configured as</P><P>+++++++++++++++++++++</P><P>aaa group server tacacs+ aus-nac-group-tacacs</P><P> server-private 10.190.99.26 key xx</P><P> ip tacacs source-interface GigabitEthernet0/0.99</P><P>aaa authentication login default group aus-nac-group-tacacs</P><P>aaa authentication login telnet group tacacs+ local</P><P>aaa authentication eou default group aus-nac-group</P><P>aaa authorization exec default group aus-nac-group-tacacs </P><P>aaa authorization exec telnet group tacacs+ if-authenticated </P><P>aaa authorization commands 1 telnet group tacacs+ if-authenticated </P><P>aaa authorization commands 15 telnet group tacacs+ if-authenticated </P><P>aaa authorization auth-proxy default group aus-nac-group-tacacs </P><P>aaa accounting exec default stop-only group tacacs+</P><P>aaa accounting commands 15 default stop-only group tacacs+</P><P>aaa authorization auth-proxy default group aus-nac-group-tacacs </P><P>ip auth-proxy name test-auth telnet inactivity-time 5 list nac-test-trigger_acl</P><P>++++++++++++++++++++++++</P><P></P><P>On the secure ACS a new service is defined as "auth-proxy".</P><P>In the user-profile the auth-proxy box is checked and Custom-Attributes are defined as</P><P>+++++++++++++++++++++++++++</P><P>priv-lvl=15</P><P>proxyacl#1="permit tcp any host 198.133.219.27"</P><P>+++++++++++++++++++++++++++++</P><P></P><P>However when user initiates a connection, the user authentication succeeds but Authorization fails and the following message is shown on ACS</P><P>++++++++++++++</P><P>Service denied </P><P>service=auth-proxy protocol=ip </P><P>++++++++++++++</P><P></P><P>Any idea what could be going wrong here ?</P><P></P><P>Thanks,</P><P>Naman</P> Sun, 10 Mar 2019 21:33:10 GMT https://community.cisco.com/t5/network-access-control/help-with-auth-proxy/m-p/590894#M427393 mnlatif 2019-03-10T21:33:10Z https://community.cisco.com/t5/network-access-control/help-with-auth-proxy/m-p/590895#M427396 <HTML><HEAD></HEAD><BODY><P>I had the same problem. You can try to change the custom attribute from</P><P> proxyacl#1="permit tcp any host 198.133.219.27" </P><P>to</P><P>proxyacl#1=permit ip any host 198.133.219.27</P><P>If that succeeds, you can begin finetuning the access--list until it does what it is supposed to do.</P><P>Hope it helps.</P><P></P><P>Eduardo </P></BODY></HTML> Sun, 23 Apr 2006 02:40:46 GMT https://community.cisco.com/t5/network-access-control/help-with-auth-proxy/m-p/590895#M427396 e-alvarez 2006-04-23T02:40:46Z https://community.cisco.com/t5/network-access-control/help-with-auth-proxy/m-p/590896#M427398 <HTML><HEAD></HEAD><BODY><P>I will give it a shot. Though exactly the same ACL format works when i use RADIUS protocol instead of TACACS+..!</P><P></P><P>Regards,</P><P>Naman</P></BODY></HTML> Tue, 25 Apr 2006 12:22:58 GMT https://community.cisco.com/t5/network-access-control/help-with-auth-proxy/m-p/590896#M427398 mnlatif 2006-04-25T12:22:58Z