topic Re: Auth-Proxy ACL issue in Network Access Control

Auth-Proxy ACL issue

mariocabrejo — Sun, 10 Mar 2019 21:08:50 GMT

Hi, Please need help on this, the following is my scenario:

R3 is doing auth-proxy and R1 is running http server. Once I browse from PC to R1, get the auth-proxy prompt and get successfully authenticated by tacacs+ and shows established when do "sh ip auth-proxy cache". Now the problem is that it does not apply these ACL's from ACS(proxyacl's), because I still not allowed by my Access-list 100 that is applied on R3 e0 interface. Why is this ACL100 not being allowed by the Downloaded proxy acl's?, Is there anyway to see the dowloaded ACL's from Tacacs?

R1-e0.........e1-R3-e0 (auth-proxy/ACL100)...........Pix...........PC

priv-lvl=15

proxyacl#1=permit tcp any any

proxyacl#2=permit udp any any

proxyacl#3=permit icmp any any

R3#sh ip auth-proxy ca

Authentication Proxy Cache

Client IP 20.20.20.5(Natted PC) Port 1303, timeout 60, state HTTP_ESTAB

Mar 1 03:12:53.843: TAC+: Opened TCP/IP handle 0x82BD2ED0 to 20.20.20.125/49

*Mar 1 03:12:53.847: TAC+: Opened 20.20.20.125 index=1

*Mar 1 03:12:53.847: TAC+: 20.20.20.125 (842237140) AUTHOR/START queued

*Mar 1 03:12:54.048: TAC+: (842237140) AUTHOR/START processed

*Mar 1 03:12:54.048: TAC+: (842237140): received author response status = PASS_ADD

*Mar 1 03:12:54.048: TAC+: Closing TCP/IP 0x82BD2ED0 connection to 20.20.20.125/49

*Mar 1 03:12:54.052: TAC+: Received Attribute "priv-lvl=15"

*Mar 1 03:12:54.052: TAC+: Received Attribute "proxy-acl#1=permit tcp any any"

*Mar 1 03:12:54.052: TAC+: Received Attribute "proxy-acl#2=permit udp any any"

*Mar 1 03:12:54.052: TAC+: Received Attribute "proxy-acl#3=permit icmp any any"

*Mar 1 03:12:54.052: AAA/AUTHOR (842237140): Post authorization status = PASS_ADD

*Mar 1 03:12:59.392: %SEC-6-IPACCESSLOGP: list 100 denied tcp 20.20.20.5 (1304) -> R1-e0 IP (80), 1 packet

R3#

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login con none

aaa authorization exec default group tacacs+ local

aaa authorization exec con none

aaa authorization auth-proxy default group tacacs+

ip auth-proxy name lab http

interface e0

ip address 10.10.10.1 255.255.255.0

ip access-group 100 in

ip auth-proxy lab

access-list 100 permit tcp any host R1-e0 www

access-list 100 permit tcp host Nated_ACS eq tacacs host R3-e0

access-list 100 permit tcp any any eq bgp

access-list 100 permit tcp any eq bgp any

access-list 100 permit eigrp any any

access-list 100 permit icmp any any

access-list 100 deny ip any any

line con 0

exec-timeout 0 0

authorization exec con

logging synchronous

line aux 0

authorization exec con

logging synchronous

line vty 0 4

Re: Auth-Proxy ACL issue

gfullage — Mon, 09 May 2005 00:35:49 GMT

Does a "show access-list 100" after you've authenticated show the additional lines in the access-list? If yes, then I have no idea what's going on 🙂

If not, then the only thing I can think of is that you've created them on the ACS server incorrectly. How have you added those ACL lines into the user profile on the ACS server (are you even using ACS)?

The way it's supposed to be done is as follows:

Under Interface Config - TACACS, tick the New Service box for user and/or group, and enter "auth-proxy" in as the service name. Now go under the Group (or User), under the TACACS settings you'll see an extra section there now called auth-proxy. Check this and check the Custom Attributes box for it also, and in the Custom Attributes box enter in the priv-lvl and proxyacl lines as you've shown above.

Unless those attributes are entered in as a TACACS auth-proxy service they won't get assigned to the user correctly on the router.

Re: Auth-Proxy ACL issue

mariocabrejo — Wed, 11 May 2005 14:07:31 GMT

Hi,

The "show access-list 100"

do not show any downloaded acl from ACS. My configuration on ACS for the user is just like you described. I am running c2600-ik9o3s3-mz.122-15.T15.bin. Just tested on another system and same thing, unless i open up a whole on the acl for the remote system i try to access, the ACL 100 does not allow me in so definetely is not downloading the permits from ACS. In this other example i used the following acl:

access-list 100 permit tcp host 30.30.30.100 eq tacacs host 30.30.30.2

access-list 100 permit ospf any any

access-list 100 permit icmp any any

access-list 100 deny ip any any log

I browse from a pc in from the router doing auth-proxy to the router behind and after authenticating on the web prompt, my acl denies me in.

Is there anyway i can find if its a bug or something.

*Mar 1 01:41:08.727: %SEC-6-IPACCESSLOGP: list 100 denied tcp 30.30.30.254(1034) -> 90.90.90.9(80), 2 packets

*Mar 1 01:41:08.727: %SEC-6-IPACCESSLOGP: list 100 denied tcp 30.30.30.254(1035) -> 90.90.90.9(80), 2 packets

*Mar 1 01:43:08.816: %SEC-6-IPACCESSLOGP: list 100 denied tcp 30.30.30.254(1036) -> 90.90.90.9(80), 2 packets

Thanks

Re: Auth-Proxy ACL issue

mariocabrejo — Wed, 11 May 2005 14:15:09 GMT

FINALLY ITS WORKING!

Deleted the user and created another new user with same settings on ACS, I really do not know why but something was cached on that user profile that was messing up auth-proxy.

Thanks for your support