Re: telnet auth proxy

diptanshusingh · ‎04-12-2007

hi i was trying to configure auth proxy in my router .. with acs using tacacs+.. but somewhere the authentication was failing..

i had configured acs as required and i dont find any problem with it as it is succefully working with http auth proxy..

configuration for router for telnet auth is

aaa new-model

aaa authentication login default group aaa_serv group radius

aaa authorization auth-proxy default aaa_serv

ip auth-proxy name telnet_auth telnet

tacacs+ host 10.1.1.3 key xxxx

aaa group server tacacs+ aaa_serv

server 10.1.1.3

interface fastetherne 0/0

ip auth-proxy telnet_auth

thomas.chen · ‎04-19-2007

The authentication proxy feature allows users to log in to a network or access the Internet via HTTP, with their specific access profiles automatically retrieved and applied from a TACACS+ or RADIUS server. The user profiles are active only when there is active traffic from the authenticated users.

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008017b2a4.shtml

diptanshusingh · ‎04-19-2007

Dear Bro, I think that we can do auth proxy with telnet also .. i can do successful authentication with http auth proxy, but not with telnet.

herbert.aichhorn · ‎05-31-2007

Hello

I have had the same problem with IOS 12.3(19). FTP and Telnet never worked.

regards

Herbert

Premdeep Banga · ‎06-01-2007

Hi,

Let me give it a try,

I just did a test few days before. I have all the setup intact. It wont harm adding Telnet and FTP. Will give it a try, but only in Monday, on weekends no work =D

Regards,

Prem

Premdeep Banga · ‎06-03-2007

Hi,

Most probably I'll try this today. In meanwhile do look into this,

Firewall Authentication Proxy for FTP and Telnet Sessions:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123_1/ftp_tel.htm

"Authentication proxy is subjected only to the traffic that passes through the router; traffic that is destined for the router continues to be authenticated by the existing authentication methods that are provided by Cisco IOS."

Regards,

Prem

Premdeep Banga · ‎06-05-2007

So Finally,

Here it is,

when you configure New Services on ACS, from Itnerface Configuration > TACACS+

specify "auth-proxy" for Service and "ip" for Protocol.

It a one step more then HTTP auth proxy, where we only need to specify "auth-proxy" for Service.

if you do not do that, and try to do telnet auth proxy you'll get following error on FAiled Attempts,

Author-Failure-Code : Service denied

Author-Data : service=auth-proxy protocol=ip

Here's what happens when its successful,

------------------

Firewall authentication

Username:test

Password:

Firewall authentication Success.

Connection will be closed if remote server does not respond

Connecting to remote server...

User Access Verification

Username: admin

Password:

Switch>

------------------

So summarizing IT WORKS!!

Regards,

Prem

diptanshusingh · ‎06-05-2007

Hi prem, thanks a ton man for finding out the solution..

herbert.aichhorn · ‎06-06-2007

Hi Prem

please you can you provide the following information:

- is the protocol "ip" necessary wirh service auth-proxy on ACS

- which IOS on what plattform have you tested ?

regards,

Herbert

diptanshusingh · ‎06-06-2007

ip is neccessary only when we want to use ftp or telnet, for http we dont need..

Premdeep Banga · ‎06-06-2007

Hi Herbert,

Diptanshu is correct, we need it if we are using FTP or Telnet, not HTTP, as I have mentioned earlier. I guess I tested it on 12.4(x) IOS. Have to look into. Will let you know.

Please mark this thread as solved, so that others can benefit from it.

Let me know if you have more questions.

Thanks,

Prem