It could just be that in version of 12.2.15(T) it is finally fully implemented. 12.1.5T(9) is just an earlier version. I ran into this last night while working on blocking Nimda and Code Red. The feature required to do the blocking was released in 12.1E (not exactly sure which version, I can't find my notes). I couldn't find the feature anywhere in the documentation for 12.1, but as soon as I looked in 12.2, it was there. Hope that helps.
Cheers, Joe ----- Original Message ----- From: "d tran" To: ; Sent: Sunday, July 06, 2003 10:18 AM Subject: IOS AUTH-PROXY problem > All, > Below is the configuration I have with AUTH-PROXY. I don't understand why > the configuration works with IOS version 12.2.15(T) but doesn't work with IOS version > 12.1.5T(9). With version 12.1.5T(9), I am not getting a "authentication failed". Instead > I am getting "bad request". > > Any ideas? > > C2610#sh run > Building configuration... > Current configuration : 4248 bytes > ! > version 12.1 > no service single-slot-reload-enable > service timestamps debug uptime > service timestamps log uptime > no service password-encryption > ! > hostname C2610 > ! > logging buffered 8192 notifications > logging rate-limit 10000 > no logging console > aaa new-model > aaa authentication login default group tacacs+ local > aaa authentication login NONE none > aaa authentication login TACACS group tacacs+ local enable > aaa authentication login LOCAL local enable > aaa authorization auth-proxy default group tacacs+ > enable secret 5 $1$Bj2H$ad4Dn5rkgKvwPZzJDKAgZ1 > ! > memory-size iomem 10 > ip subnet-zero > no ip source-route > ! > ! > no ip finger > ip tcp intercept list 100 > ip tcp intercept connection-timeout 3600 > ip tcp intercept watch-timeout 5 > ip tcp intercept max-incomplete low 300 > ip tcp intercept max-incomplete high 1000 > ip tcp intercept one-minute low 100 > ip tcp intercept one-minute high 500 > ip domain-name micronetsolution.com > ip host tac 2065 10.10.10.10 > ip name-server 172.17.1.2 > ip name-server 129.174.1.8 > ip dhcp excluded-address 10.100.0.71 > ip dhcp excluded-address 10.100.0.72 > ip dhcp excluded-address 10.100.0.254 > ip dhcp ping packets 5 > ! > ip dhcp pool DHCP > network 10.100.0.0 255.255.255.0 > netbios-name-server 172.17.1.2 129.174.1.8 > dns-server 172.17.1.2 129.174.1.8 > default-router 10.100.0.254 > domain-name micronetsolution.com > lease 3 > ! > ip inspect audit-trail > ip inspect dns-timeout 15 > ip inspect name CBAC tcp timeout 3600 > ip inspect name CBAC udp timeout 3600 > ip auth-proxy auth-proxy-banner > ip auth-proxy auth-proxy-audit > ip auth-proxy auth-cache-time 1 > ip auth-proxy name AUTH-PROXY http > ip audit info action alarm drop reset > ip audit attack action alarm drop reset > ip audit notify log > ip audit po max-events 100 > ip audit name ATTACK attack action alarm drop reset > ip audit name INFO info action alarm > ! > ! > call rsvp-sync > cns event-service server > ! > ! > ! > ! > ! > ! > ! > ! > interface Loopback0 > ip address 10.10.10.10 255.255.255.255 > ! > interface Ethernet0/0 > ip address 172.18.1.1 255.255.0.0 > ip nat outside > half-duplex > ! > interface FastEthernet1/0 > ip address 10.100.0.254 255.255.255.0 > ip nat inside > ip auth-proxy AUTH-PROXY > speed 100 > full-duplex > ! > ip kerberos source-interface any > ip nat pool natpool 172.18.1.1 172.18.1.1 netmask 255.255.0.0 > ip nat inside source list 130 interface Ethernet0/0 overload > ip nat inside source static 10.100.0.71 172.18.0.71 > ip classless > ip route 0.0.0.0 0.0.0.0 172.18.1.254 > ip http server > ip http authentication aaa > ! > ! > ip access-list extended NAMEDACL > permit tcp any any > permit udp any any > permit ip any any > ip access-list extended in2out > permit udp 10.100.0.0 0.0.0.255 any eq domain reflect traffic > permit tcp 10.100.0.0 0.0.0.255 any eq www reflect traffic > permit tcp 10.100.0.0 0.0.0.255 any eq telnet reflect traffic > deny ip any any > ip access-list extended out2in > permit icmp any any > evaluate traffic > deny ip any any > logging trap notifications > logging facility local5 > logging source-interface Ethernet0/0 > logging 172.17.1.2 > access-list 100 permit tcp any host 10.100.0.71 eq www > access-list 100 permit tcp any host 10.100.0.71 eq 443 > access-list 100 permit tcp any host 10.100.0.71 eq 22 > access-list 100 permit tcp any host 10.100.0.71 eq telnet > access-list 100 permit tcp any host 10.100.0.71 eq ftp > access-list 100 permit tcp any host 10.100.0.71 eq ftp-data > access-list 110 permit tcp 10.100.0.0 0.0.0.255 host 10.100.0.254 eq telnet > access-list 110 dynamic lock-and-key permit ip 10.100.0.0 0.0.0.255 any > access-list 110 deny ip any any > access-list 120 permit udp 10.100.0.0 0.0.0.255 any eq domain > access-list 120 permit tcp 10.100.0.0 0.0.0.255 host 10.100.0.254 eq www > access-list 120 deny ip any any > access-list 130 permit ip 10.100.0.0 0.0.0.255 any > access-list 140 permit ip host 172.18.1.2 host 172.18.1.1 > access-list 140 permit icmp any 10.100.0.0 0.0.0.255 > access-list 140 permit icmp any host 172.18.0.71 > access-list 140 deny ip any any > ! > tacacs-server host 172.18.1.2 > tacacs-server attempts 2 > ! > dial-peer cor custom > ! > ! > ! > ! > ! > line con 0 > exec-timeout 0 0 > logging synchronous > login authentication NONE > transport input none > line aux 0 > login authentication NONE > transport input all > line vty 0 4 > login authentication LOCAL > ! > ntp clock-period 17208324 > end > C2610# > > > --------------------------------- > Do you Yahoo!? > The New Yahoo! Search - Faster. Easier. Bingo. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=71956&t=71956 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]