Re: Auth-proxy with NAT issue (aironet wireless)

nickpowers · ‎10-03-2005

I have setup auth-proxy on a 2651 router that contacts the cisco ACS using Tacacs+. On the Cisco ACS i am currently using the ciscosecure database currently. I have a cisco 1130AG wireless AP that provides wireless access to our users. The 2651 is also acting as a DHCP and NAT server for the wireless users. My issue is when the user is given the auth-proxy login screen and types in his/her login information and clicks ok, I get a popup and inside that popup I always receive an error message "HTTP 500 - Internal Server Error Page cannot be displayed"

When I debug tacacs, and auth-proxy on the 2651 I get nothing coming up on the screen. I have verified that tacacs packets are moving from the 2651 to the Cisco ACS server but not back. Does this error ring a bell for anyone? Below is the config from my 2651:

CC2T-2651-02#show run

Building configuration...

Current configuration : 2460 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname CC2T-2651-02

!

aaa new-model

aaa group server tacacs+ TRENT_WL

server ###.###.###.###

!

aaa authentication login con local

aaa authentication login telnet local

aaa authorization auth-proxy default group tacacs+

aaa accounting auth-proxy default start-stop group tacacs+

enable secret xxx

!

username admin password 0 ######

ip subnet-zero

!

no ip dhcp conflict logging

ip dhcp excluded-address 192.168.1.1 192.168.1.25

!

ip dhcp pool trent_pool

network 192.168.1.0 255.255.255.0

domain-name trentu.ca

dns-server ###.###.###.###

default-router 192.168.1.1

!

ip auth-proxy auth-proxy-banner ^C Welcome <p>Please login: ^C

ip auth-proxy auth-cache-time 3

ip auth-proxy name PROXY_LIST http list 10

ip audit notify log

ip audit po max-events 100

!

call rsvp-sync

!

interface FastEthernet0/0

description outside access

ip address ###.###.###.### 255.255.255.252

ip access-group 101 out

ip nat outside

no ip mroute-cache

duplex auto

speed auto

!

interface FastEthernet0/1

description inside wireless LAN

ip address 192.168.1.1 255.255.255.0

ip access-group 102 in

ip access-group 102 out

ip nat inside

ip auth-proxy PROXY_LIST

no ip mroute-cache

duplex auto

speed auto

no mop enabled

!

ip nat pool trent_nat ###.###.###.### ###.###.###.### prefix-length 24

ip nat inside source list 1 pool trent_nat overload

ip classless

ip route 0.0.0.0 0.0.0.0 ###.###.###.###

ip http server

ip http access-class 11

ip http authentication aaa

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 10 permit any

access-list 11 deny any

access-list 100 permit tcp ###.###.###.### 0.0.0.255 any eq telnet

access-list 100 permit tcp host ###.###.###.### any eq telnet log

access-list 100 permit tcp host ###.###.###.### eq tacacs any

access-list 100 deny ip any any log

access-list 101 permit tcp any any eq tacacs log

access-list 101 permit ip any any

access-list 102 permit ip any host 192.168.1.34 log

access-list 102 permit ip any any log

!

snmp-server community ##### RO

snmp-server enable traps tty

tacacs-server host ###.###.###.###

tacacs-server directed-request

tacacs-server key ####

!

dial-peer cor custom

!

line con 0

login authentication con

line aux 0

line vty 0 4

access-class 100 in

password ##########

login authentication telnet

!

end

Thank you,

nickpowers · ‎10-04-2005

Found the solution: The Cisco ACS was blocking access to it. So note to anyone else, if you receive a popup with an "Internal HTTP Error" message during auth-proxy, check that the router/firewall can connect to the RADIUS/TACACS server.