Stuck with an auth-proxy task

Hello

I am currently working on a task (INE CCIE Security WB 1 Task 2.9) where I am supposed to configured an radius-based IOS auth-proxy. The task is this:

 

Configure Authentication PRoxy settings on R3 per the following requirements.

  • US the radius server at 10.0.0.100 with the authentication key CISCO.
  • The authentication proxy should apply to the users sessions initiated from VLAN23 towards VLAN13.
  • Authentication users should be allowed to send ICMP packets and initate TCP sessions.
  • Configure the ACS server with the user named PROXY and the password of CISCO1234.

 

In ACS I have added the R3 as AAA client (Cisco IOS Radius). I have also added the user PROXY with the following cisco av pair´s:


auth-proxy:priv-lvl=15
auth-proxy:proxyacl#1=permit icmp any any
auth-proxy:proxyacl#1=permit tcp any any

 
In R3 I have added the following config:


aaa new-model
aaa authen login CON none
line con 0
login authen CON
aaa authen login default group radius
aaa author auth-proxy default group radius
!
ip http server
ip http authen aaa
ip auth-proxy name AUTHPROXY http
!
ip access-l ext INBOUND
permit udp any any eq rip
permit tcp any host 136.1.23.3 eq www
deny ip any any log
!
int fa0/1.23
ip access-group INBOUND in
ip auth-proxy AUTHPROXY

 
This is what happens when I fire up a browser and http´s to the R3 interface:
 
(debug aaa authen, aaa author, auth-proxy and radius is on)
 

Rack1R3#
*Jan 3 01:15:40.229: AUTH-PROXY:proto_flag=4, dstport_index=4
*Jan 3 01:15:40.229: SYN SEQ 984706124 LEN 0
*Jan 3 01:15:40.229: dst_addr 136.1.23.3 src_addr 136.1.23.123 dst_port 80 src_port 1103
*Jan 3 01:15:40.237: AUTH-PROXY:proto_flag=4, dstport_index=4
*Jan 3 01:15:40.237: ACK 4057202766 SEQ 984706125 LEN 0
*Jan 3 01:15:40.237: dst_addr 136.1.23.3 src_addr 136.1.23.123 dst_port 80 src_port 1103
*Jan 3 01:15:40.241: AUTH-PROXY:proto_flag=4, dstport_index=4
*Jan 3 01:15:40.241: PSH ACK 4057202766 SEQ 984706125 LEN 282
*Jan 3 01:15:40.241: dst_addr 136.1.23.3 src_addr 136.1.23.123 dst_port 80 src_port 1103
Rack1R3#
*Jan 3 01:15:40.245: Router interested packet returning src 136.1.23.123, dst 136.1.23.3
*Jan 3 01:15:40.257: AUTH-PROXY:proto_flag=4, dstport_index=4
*Jan 3 01:15:40.261: ACK 4057202967 SEQ 984706407 LEN 0
*Jan 3 01:15:40.261: dst_addr 136.1.23.3 src_addr 136.1.23.123 dst_port 80 src_port 1103
Rack1R3#
Rack1R3#! I fired up IE, entered the url and it is now showing a login prmpt "level_15 or view_access"
Rack1R3#
Rack1R3#! I enter the credentials PROXY/CISCO1234 and hit enter...
Rack1R3#
Rack1R3#
*Jan 3 01:16:52.743: AUTH-PROXY:proto_flag=4, dstport_index=4
*Jan 3 01:16:52.743: FIN ACK 4057202967 SEQ 984706407 LEN 0
*Jan 3 01:16:52.743: dst_addr 136.1.23.3 src_addr 136.1.23.123 dst_port 80 src_port 1103
*Jan 3 01:16:52.748: AUTH-PROXY:proto_flag=4, dstport_index=4
*Jan 3 01:16:52.748: SYN SEQ 1525595421 LEN 0
*Jan 3 01:16:52.748: dst_addr 136.1.23.3 src_addr 136.1.23.123 dst_port 80 src_port 1104
*Jan 3 01:16:52.756: AUTH-PROXY:proto_flag=4, dstport_index=4
*Jan 3 01:16:52.756: ACK 2275096303 SEQ 1525595422 LEN 0
*Jan 3 01:16:52.756: dst_addr 136.1.23.3 src_addr 136.1.23.123 dst_port 80 src_port 1104
*Jan 3 01:16:52.756: AUTH-PROXY:proto_flag=4, dstport_index=4
*Jan 3 01:16:52.760: PSH ACK 2275096303 SEQ 1525595422 LEN 325
*Jan 3 01:16:52.760: dst_addr 136.1.23.3 src_addr 136.1.23.123 dst_port 80 src_port 1104
*Jan 3 01:16:52.764: Router interested packet returning src 136.1.23.123, dst 136.1.23.3
*Jan 3 01:16:52.772: AAA/BIND(00000006): Bind i/f
*Jan 3 01:16:52.772: AAA/AUTHEN/LOGIN (00000006): Pick method list 'default'
*Jan 3 01:16:52.776: RADIUS/ENCODE(00000006):Orig. component type = HTTP
*Jan 3 01:16:52.776: RADIUS/ENCODE(00000006): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Jan 3 01:16:52.776: RADIUS(00000006): Config NAS IP: 0.0.0.0
*Jan 3 01:16:52.776: RADIUS/ENCODE(00000006): acct_session_id: 4
*Jan 3 01:16:52.776: RADIUS(00000006): sending
*Jan 3 01:16:52.776: RADIUS/ENCODE: Best Local IP-Address 10.0.0.3 for Radius-Server 10.0.0.100
*Jan 3 01:16:52.780: RADIUS(00000006): Send Access-Request to 10.0.0.100:1645 id 1645/4, len 71
*Jan 3 01:16:52.780: RADIUS: authenticator 63 22 AD D4 03 CA 91 6C - 71 F8 27 E9 70 12 2A 18
*Jan 3 01:16:52.780: RADIUS: User-Name [1] 7 "PROXY"
*Jan 3 01:16:52.784: RADIUS: User-Password [2] 18 *
*Jan 3 01:16:52.784: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Jan 3 01:16:52.784: RADIUS: Calling-Station-Id [31] 14 "136.1.23.123"
*Jan 3 01:16:52.784: RADIUS: NAS-IP-Address [4] 6 10.0.0.3
*Jan 3 01:16:52.796: RADIUS: Received from id 1645/4 10.0.0.100:1645, Access-Accept, len 181
*Jan 3 01:16:52.796: RADIUS: authenticator 4E 80 7B 47 1A 03 96 83 - BA 01 FE 83 9E A6 BB A6
*Jan 3 01:16:52.800: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Jan 3 01:16:52.800: RADIUS: Vendor, Cisco [26] 30
*Jan 3 01:16:52.800: RADIUS: Cisco AVpair [1] 24 "auth-proxy:priv-lvl=15"
*Jan 3 01:16:52.800: RADIUS: Vendor, Cisco [26] 49
*Jan 3 01:16:52.800: RADIUS: Cisco AVpair [1] 43 "auth-proxy:proxyacl#1=permit icmp any any"
*Jan 3 01:16:52.800: RADIUS: Vendor, Cisco [26] 48
*Jan 3 01:16:52.804: RADIUS: Cisco AVpair [1] 42 "auth-proxy:proxyacl#2=permit tcp any any"
*Jan 3 01:16:52.804: RADIUS: Class [25] 28
*Jan 3 01:16:52.804: RADIUS: 43 41 43 53 3A 30 2F 31 37 34 39 66 2F 61 30 30 [CACS:0/1749f/a00]
*Jan 3 01:16:52.804: RADIUS: 30 30 30 33 2F 50 52 4F 58 59 [0003/PROXY]
*Jan 3 01:16:52.808: RADIUS(00000006): Received from id 1645/4
*Jan 3 01:16:52.812: AAA/AUTHOR (00000006): Method list id=0 not configured. Skip author
*Jan 3 01:16:54.815: AUTH-PROXY:proto_flag=4, dstport_index=4
*Jan 3 01:16:54.815: ACK 2275096504 SEQ 1525595747 LEN 0
*Jan 3 01:16:54.815: dst_addr 136.1.23.3 src_addr 136.1.23.123 dst_port 80 src_port 1104
Rack1R3#
Rack1R3#! ... and the browser give me another login prompt...
Rack1R3#
Rack1R3#

 

See those lines in bold? What is happening here? They are not in the output from the solution guide. The “radius-server attribute 6 on for login-auth”-message can be tweaked away with a specific command but why should that be neccesary? And what about “AAA/AUTHOR Metod list id=0 not configured. Skip author”, that feels like a fatal error. But I do have “aaa authorization auth-proxy default group radius”-command.
 
Anyone?

 

 

Tagged with: , , ,
Posted in Cisco Security
One comment on “Stuck with an auth-proxy task
  1. proBoumn says:

    Мы готовы предоставить высококачественные услуги прокси-серверов пакетами. Вам нужен стабильный частный прокси для работы в Instagram, Вконтакте,Однокласниках или Авито? Вы увлекаетесь букмекерскими ставками или покером? SEO,SMM, по настоящему безопасный серфинг или остальные цели? В таком случае вы по нужному адресу.

    Мы можем предложить анонимные, элитные, прокси-сервера с надежной круглосуточной поддержкой. Все наши прокси могут применяться для разнообразных программ,сервисов, социальных сетей, онлайн игр и не только. Авторизация по логин – паролю или IP адресу.

    Быстрые прокси ipv4 и ipv6 (до 100 мбит/с) обеспечат стабильную работу. Потребны разные подсети, у нас их много. Так же вы можете выбрать тип протокола HTTP/SOCKS.

    ipv4 РїСЂРѕРєСЃРё

Leave a Reply to proBoumn Cancel reply

Your email address will not be published. Required fields are marked *

*

Signuppp

[mc4wp_form id="2457"]
Website Security Test