[OSL | CCIE_Security] Auth-proxy triggered from telnet

Dan Jianu Thu, 24 Sep 2009 10:04:55 -0700

Hello,

12.4T auth-proxy configuration chapter states that auth-proxy can be triggered 
by http, https, ftp or telnet. The ftp server is not available on the router so 
I cannot try it.



The first question would be if auth-proxy with telnet is still supported? 
According to some Internet posts only http or https can be used. As far as I 
know http was the original trigger and support for ftp and telnet was added 
later. 

The second question is valid only if the telnet configuration is still 
supported.
I have been trying to set up auth-proxy on the router with telnet without 
success. On the same topology auth-proxy with http is successful. With telnet 
the authentication succeeds but the authorization fails. Is there any 
difference in the configuration of auth-proxy with telnet on the AAA?
On the router there is only one line difference.
for http : ip auth-proxy name AUTH http inactivity-time 60
for ftp :ip auth-proxy name AUTH telnet inactivity-time 60


I have posted the configuration part related to auth-proxy and the debug logs 
in both telnet or http trigger. I am trying to connect to the same device past 
the router and with http I can access it.


Regards,
Dan.

===AAA configuration on the router=============

aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa session-id common

ip auth-proxy name AUTH http inactivity-time 60
ip auth-proxy name AUTH telnet inactivity-time 60

access-list 102 permit ip host 192.168.101.5 host 192.168.101.15
access-list 102 deny   ip any any

interface FastEthernet0/1
 ip address 192.168.102.2 255.255.255.0
 ip access-group 102 in
 ip auth-proxy AUTH


======debug settings on the router=============
c2651#sh debug
General OS:
  TACACS access control debugging is on
  TACACS+ authorization debugging is on
  TACACS+ packets debugging is on
  AAA Authentication debugging is on



======= begin AUTH-Proxy with http trigger========================

c2651#
2d21h: AAA: parse name=FastEthernet0/1 idb type=-1 tty=-1
2d21h: AAA: name=FastEthernet0/1 flags=0x15 type=14 shelf=0 slot=0 adapter=0 por
t=1 channel=0
2d21h: AAA: parse name=<no string> idb type=-1 tty=-1
2d21h: AAA/MEMORY: create_user (0x83E0F9C8) user='NULL' ruser='NULL' ds0=0 port=
'FastEthernet0/1' rem_addr='192.168.102.9' authen_type=ASCII service=LOGIN priv=
0 initial_task_id='0', vrf= (id=0)
2d21h: AAA/AUTHEN/START (2649890482): port='FastEthernet0/1' list='default' acti
on=LOGIN service=LOGIN
2d21h: AAA/AUTHEN/START (2649890482): found list default
2d21h: AAA/AUTHEN/START (2649890482): Method=tacacs+ (tacacs+)
2d21h: TAC+: send AUTHEN/START packet ver=192 id=-1645076814
2d21h: TAC+: Using default tacacs server-group "tacacs+" list.
2d21h: TAC+: Opening TCP/IP to 192.168.101.15/49 timeout=5
2d21h: TAC+: Opened TCP/IP handle 0x8837DE4C to 192.168.101.15/49
2d21h: TAC+: 192.168.101.15 (2649890482) AUTHEN/START/LOGIN/ASCII queued
2d21h: TAC+: (2649890482) AUTHEN/START/LOGIN/ASCII processed
2d21h: TAC+: ver=192 id=-1645076814 received AUTHEN status = GETUSER
2d21h: AAA/AUTHEN(2649890482): Status=GETUSER
2d21h: AAA/AUTHEN/CONT (2649890482): continue_login (user='(undef)')
2d21h: AAA/AUTHEN(2649890482): Status=GETUSER
2d21h: AAA/AUTHEN(2649890482): Method=tacacs+ (tacacs+)
2d21h: TAC+: send AUTHEN/CONT packet id=-1645076814
2d21h: TAC+: 192.168.101.15 (2649890482) AUTHEN/CONT queued
2d21h: TAC+: (2649890482) AUTHEN/CONT processed
2d21h: TAC+: ver=192 id=-1645076814 received AUTHEN status = GETPASS
2d21h: AAA/AUTHEN(2649890482): Status=GETPASS
2d21h: AAA/AUTHEN/CONT (2649890482): continue_login (user='ciscouser')
2d21h: AAA/AUTHEN(2649890482): Status=GETPASS
2d21h: AAA/AUTHEN(2649890482): Method=tacacs+ (tacacs+)
2d21h: TAC+: send AUTHEN/CONT packet id=-1645076814
2d21h: TAC+: 192.168.101.15 (2649890482) AUTHEN/CONT queued
2d21h: TAC+: (2649890482) AUTHEN/CONT processed
2d21h: TAC+: ver=192 id=-1645076814 received AUTHEN status = PASS
2d21h: AAA/AUTHEN(2649890482): Status=PASS
2d21h: TAC+: Closing TCP/IP 0x8837DE4C connection to 192.168.101.15/49
2d21h: TAC+: using previously set server 192.168.101.15 from group tacacs+
2d21h: TAC+: Opening TCP/IP to 192.168.101.15/49 timeout=5
2d21h: TAC+: Opened TCP/IP handle 0x889DD91C to 192.168.101.15/49
2d21h: TAC+: Opened 192.168.101.15 index=1
2d21h: TAC+: 192.168.101.15 (699610274) AUTHOR/START queued
2d21h: TAC+: (699610274) AUTHOR/START processed
2d21h: TAC+: (699610274): received author response status = PASS_ADD
2d21h: TAC+: Closing TCP/IP 0x889DD91C connection to 192.168.101.15/49
2d21h: TAC+: Received Attribute "priv-lvl=15"
2d21h: TAC+: Received Attribute "proxyacl#1=permit icmp any any"
2d21h: TAC+: Received Attribute "proxyacl#2=permit tcp any any"
2d21h: TAC+: Received Attribute "proxyacl#3=permit udp any any"


======= end AUTH-Proxy with http trigger========================



======= begin AUTH-Proxy with telnet trigger========================

c2651#
2d21h: AAA/MEMORY: free_user (0x83E0F9C8) user='ciscouser' ruser='NULL' port='Fa
stEthernet0/1' rem_addr='192.168.102.9' authen_type=ASCII service=LOGIN priv=0 v
rf= (id=0)
2d21h: AAA/BIND(00000013): Bind i/f
2d21h: AAA/AUTHEN/LOGIN (00000013): Pick method list 'default'
2d21h: TPLUS: Queuing AAA Authentication request 19 for processing
2d21h: TPLUS: processing authentication start request id 19
2d21h: TPLUS: Authentication start packet created for 19(ciscouser)
2d21h: TPLUS: Using server 192.168.101.15
2d21h: TPLUS(00000013)/0/NB_WAIT/83D2F6B8: Started 5 sec timeout
2d21h: TPLUS(00000013)/0/NB_WAIT: socket event 2
2d21h: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
2d21h: T+: session_id 2855499620 (0xAA337764), dlen 17 (0x11)
2d21h: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
2d21h: T+: svc:LOGIN user_len:9 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
2d21h: T+: user:  ciscouser
2d21h: T+: port:
2d21h: T+: rem_addr:
2d21h: T+: data:
2d21h: T+: End Packet
2d21h: TPLUS(00000013)/0/NB_WAIT: wrote entire 29 bytes request
2d21h: TPLUS(00000013)/0/READ: socket event 1
2d21h: TPLUS(00000013)/0/READ: Would block while reading
2d21h: TPLUS(00000013)/0/READ: socket event 1
2d21h: TPLUS(00000013)/0/READ: read entire 12 header bytes (expect 16 bytes data
)
2d21h: TPLUS(00000013)/0/READ: socket event 1
2d21h: TPLUS(00000013)/0/READ: read entire 28 bytes response
2d21h: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
2d21h: T+: session_id 2855499620 (0xAA337764), dlen 16 (0x10)
2d21h: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
2d21h: T+: msg:  Password:
2d21h: T+: data:
2d21h: T+: End Packet
2d21h: TPLUS(00000013)/0/83D2F6B8: Processing the reply packet
2d21h: TPLUS: Received authen response status GET_PASSWORD (8)
2d21h: TPLUS: Queuing AAA Authentication request 19 for processing
2d21h: TPLUS: processing authentication continue request id 19
2d21h: TPLUS: Authentication continue packet generated for 19
2d21h: TPLUS(00000013)/0/WRITE/83D2F6B8: Started 5 sec timeout
2d21h: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
2d21h: T+: session_id 2855499620 (0xAA337764), dlen 10 (0xA)
2d21h: T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0) flags:0x0
2d21h: T+: User msg: <elided>
2d21h: T+: User data:
2d21h: T+: End Packet
2d21h: TPLUS(00000013)/0/WRITE: wrote entire 22 bytes request
2d21h: TPLUS(00000013)/0/READ: socket event 1
2d21h: TPLUS(00000013)/0/READ: read entire 12 header bytes (expect 6 bytes data)

2d21h: TPLUS(00000013)/0/READ: socket event 1
2d21h: TPLUS(00000013)/0/READ: read entire 18 bytes response
2d21h: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
2d21h: T+: session_id 2855499620 (0xAA337764), dlen 6 (0x6)
2d21h: T+: AUTHEN/REPLY status:1 flags:0x0 msg_len:0, data_len:0
2d21h: T+: msg:
2d21h: T+: data:
2d21h: T+: End Packet
2d21h: TPLUS(00000013)/0/83D2F6B8: Processing the reply packet
2d21h: TPLUS: Received authen response status PASS (2)
2d21h: TPLUS: Queuing AAA Authorization request 19 for processing
2d21h: TPLUS: processing authorization request id 19
2d21h: TPLUS: Sending AV service=auth-proxy
2d21h: TPLUS: Sending AV protocol=ip
2d21h: TPLUS: Authorization request created for 19(ciscouser)
2d21h: TPLUS: using previously set server 192.168.101.15 from group tacacs+
2d21h: TPLUS(00000013)/0/NB_WAIT/83D2F6B8: Started 5 sec timeout
2d21h: TPLUS(00000013)/0/NB_WAIT: socket event 2
2d21h: T+: Version 192 (0xC0), type 2, seq 1, encryption 1
2d21h: T+: session_id 810162713 (0x304A1A19), dlen 48 (0x30)
2d21h: T+: AUTHOR, priv_lvl:15, authen:1 method:tacacs+
2d21h: T+: svc:1 user_len:9 port_len:0 rem_addr_len:0 arg_cnt:2
2d21h: T+: user:  ciscouser
2d21h: T+: port:
2d21h: T+: rem_addr:
2d21h: T+: arg[0]: size:18 service=auth-proxy
2d21h: T+: arg[1]: size:11 protocol=ip
2d21h: T+: End Packet
2d21h: TPLUS(00000013)/0/NB_WAIT: wrote entire 60 bytes request
2d21h: TPLUS(00000013)/0/READ: socket event 1
2d21h: TPLUS(00000013)/0/READ: Would block while reading
2d21h: TPLUS(00000013)/0/READ: socket event 1
2d21h: TPLUS(00000013)/0/READ: read entire 12 header bytes (expect 6 bytes data)

2d21h: TPLUS(00000013)/0/READ: socket event 1
2d21h: TPLUS(00000013)/0/READ: read entire 18 bytes response
2d21h: T+: Version 192 (0xC0), type 2, seq 2, encryption 1
2d21h: T+: session_id 810162713 (0x304A1A19), dlen 6 (0x6)
2d21h: T+: AUTHOR/REPLY status:16 msg_len:0, data_len:0 arg_cnt:0
2d21h: T+: msg:
2d21h: T+: data:
2d21h: T+: End Packet
2d21h: TPLUS(00000013)/0/83D2F6B8: Processing the reply packet
2d21h: TPLUS: received authorization response for 19: FAIL
======= End AUTH-Proxy with telnet trigger========================



      
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

[OSL | CCIE_Security] Auth-proxy triggered from telnet

Reply via email to