Ip admission auth-proxy

Similar Messages

• ACS-Auth-proxy Security misconfig

  Hi,
  I have an issue with ACS and authentication proxy. It turns out that I want users to have only one session at a given time, but the ACS is allowing more than one session per user.
  Imagine the following sequence of events:
  1) user A logs in ok
  2) another user A tries to log in and is correctly blocked
  3) user B logs in ok
  4) another user B tries to log in and is correctly blocked
  5) If at this point another user A tries to log in, it is not blocked
  and I have the same user A account logged in twice.
  At this point, I can log another user B, without problem, resulting in two accounts conected for user B, wich is not what I want.
  The router config is attached.
  On the ACS Server, I have the User max session set to 1, and the auth-proxy priv-lvl is as follows:
  priv-lvl=15
  proxyacl#1=deny tcp any host 10.10.10.1 eq telnet ! this is to prevent users from telnetting into the rtr.
  proxyacl#2=permit ip any any
  proxyacl#3=permit icmp any any
  Any help you can provide, will be greatly appreciated.
  Regards,
  Eduardo

  Thanks for your reply, Darran.
  Yes, I have lines for accounting for things that I do not even plan to use, just to be on the safe side:
  aaa new-model
  aaa group server tacacs+ Oasis
  server 10.10.10.5
  aaa authentication login default group Oasis none
  aaa authorization exec default group Oasis none
  aaa authorization commands 15 default group Oasis none
  aaa authorization auth-proxy default group Oasis local
  aaa accounting send stop-record authentication failure
  aaa accounting auth-proxy default start-stop group Oasis
  aaa accounting commands 15 default start-stop group Oasis
  aaa accounting network default start-stop group Oasis
  aaa accounting system default start-stop group tacacs+ group Oasis
  aaa accounting resource default start-stop group Oasis
  aaa session-id common
  ip dhcp relay information trust-all
  ip dhcp excluded-address 10.10.10.1 10.10.10.10
  ip dhcp pool Oasis_dhcp
  import all
  network 10.10.10.0 255.255.255.0
  default-router 10.10.10.1
  dns-server xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
  lease infinite
  update arp
  ip auth-proxy auth-proxy-banner http
  ip auth-proxy auth-proxy-audit
  ip auth-proxy name acceso http inactivity-time 60
  ip admission auth-proxy-banner http
  ip admission auth-proxy-audit
  ip name-server xxx.xxx.xxx.xxx
  interface Vlan1
  description Switch Ethernet 4Ptos 10-100
  ip dhcp relay information trusted
  ip dhcp client update dns
  ip address 10.10.10.1 255.255.255.0
  ip access-group 150 in
  ip auth-proxy acceso
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip nat inside source list 20 interface Dialer1 overload
  Also, on the ACS, I have the Max sessions set to 1, but on the acs reports, I do not see any port re-used message.
  I have a lab with 4 pc?s and the ACS server (Win2003, standard).
  Again, thanks for your interest.
  Eduardo

• Ip auth-proxy form action is always IP address for HTTPS?

  I am trying to set up an ip auth-proxy on a 1840.
  It works, but results in https certificate error, as the authentication form is always submitted back to router using IP address in URL and not domain name that is in the certificate.
  ... <form method="post" action="https://10.10.10.11:443" target="pxywindow1"> ...
  Is there a way to make router send the form with domain name or at least relative URL and not IP address?
  With this certificate error, the feature cannot be possibly used in production environment.
  Thanks!
  Sergey

  Figured it out: I had not put in a default aaa authentication login default tacacas+ command. I didn't think it was necessary. I was wrong.

• Ip auth−proxy

  Can somebody explain me meaning of follwoing commands in the link given below.
  1)aaa authentication login default local group RTP none
  In this command default is local will it prompt user to TACACS 1st.
  2)ip auth−proxy name list_a http and ip auth−proxy list_a
  what is the meaning of putting these command .
  3) access−list 116 permit tcp host 40.31.1.47 host 40.31.1.150 eq www
  why this access-list is required.
  4) there is no access-list from host to webserver ??
  3)
  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a0080094655.shtml

  1> This command will try first to authenticate using a local database (username john password 0 doe
  ) if it returns an error (if you dont set any username, I believe) it will try the TACACS server.
  2>ip auth-proxy name list_a http
  This command creates a named authentication proxy rule, and it allows you to associate that rule with an access control list (ACL), providing control over which hosts use the authentication proxy.
  Because an access list is not specified in the rule, all connection-initiating HTTP traffic is subjected to authentication.
  ip auth-proxy list_a
  The rule is applied to an interface on a router using this command
  3>
  ACL 116 is blocking traffic from the host 10.31.1.47 to other webservers (it only allows it to talk with the router).
  After authenticating , new lines will be added to the front of the ACL and then it will be allowed to talk to the webserver.
  HTH,
  rate this post if it does,
  vlad

• ASA auth-proxy timeout

  Hi, everyone
  I have a puzzle with ASA auth-proxy authentication timeout. I want to achieve the inactivity timeout, that is, when there are some traffic btw client and host through ASA after user authenticated, cache timeout timer don't work. When traffic is end, cache timeout timer work again.
  but when I configurate the ASA 7.0, I found if I have configurate the ASA timeout timer as absolute with the following command:
  timeout uauth 0:05:00 absolute
  I cannot change the timer to inactivity,
  but can changed to as below
  timeout uauth 0:05:00 absolute uauth 0:05:00 inactivity
  what is its meaning?
  and can user authentication timer change to inactivity?
  very thanks

  Use the timeout uauth absolute & inactivity values locally.
  Try the bug CSCsg52108
  http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/t_711.html#wp1318629

• Newbie with auth-proxy

  Hi,
  I need to allow and deny some user to go to the Internet, but I want to allow/deny only for http traffic.
  For exemple I dont want any user to have to authenticate if they want to use ftp.
  Is it possible with the auth-proxy? if yes any configuration exemple?
  In the exemple I saw, the user had to authenticate to then allow his computer to send any packet to the Internet.
  Thanks for your help.
  Cheers Gael

  Auth-proxy will authenticate the user only via HTTP, before they can send ANY traffic out. Going by your description this is not what you want.
  Lock-and-Key might be more what you want. See here for details:
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scflock.htm
  You could define an ACL to the inside interface allowing everything EXCEPT HTTP/HTTPS. Users doing FTP can just go straight out as normal then. Then define dynamic entries to this ACL that allow all traffic. For anyone to go out with HTTP/HTTPS they'd have to telnet to the router first, put in their login credentials, then they can browse out. Something like the following should work for you:
  interface ethernet0
  description Inside interface
  ip address 10.1.1.1 255.255.255.0
  ip access-group 101 in
  access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 80
  access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 443
  access-list 101 permit ip 10.1.1.0 0.0.0.255 any
  access-list 101 dynamic mytestlist timeout 120 permit ip any any
  line vty 0 4
  login local
  autocommand access-enable host timeout 5
  It takes a bit of user education in that they will have to be told how to use this (first telnet to the router at 10.1.1.1, login, then you can use HTTP traffic outbound), but should give you what you want.

• Wired WebAuth only with NAC Guest Server (No ACS)

  Ok, I have been fighting this for two days now.  I want to use the webauth function on some of our Cisco 3750Gs ver
  12.2(55)SE5 for guest access.  I'm trying to use our NAC Guest Server ver: 2.0.3 as the backend portal and Radius server.  We do not have ACS or any of the other components of ISE or NAC.  I think the issue is the NGS server is not sending the d(ACL) back to switch.  Guest work work fine from our WLCs. 
  switch debug:   No Attributes in swtich debug
  Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Config NAS IP: 199.46.201.26
  Mar 22 12:56:00.448 CDT: RADIUS/ENCODE(0000030C): acct_session_id: 1012
  Mar 22 12:56:00.448 CDT: RADIUS(0000030C): sending
  Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Send Access-Request to 10.199.33.20:1812 id 1645/19, len 177
  Mar 22 12:56:00.448 CDT: RADIUS:  authenticator 99 95 59 55 09 A9 D9 E1 - 2B 01 90 36 1B 8A 41 92
  Mar 22 12:56:00.448 CDT: RADIUS:  User-Name           [1]   20  "[email protected]"
  Mar 22 12:56:00.448 CDT: RADIUS:  User-Password       [2]   18  *
  Mar 22 12:56:00.448 CDT: RADIUS:  Framed-IP-Address   [8]   6   199.46.201.231
  Mar 22 12:56:00.448 CDT: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
  Mar 22 12:56:00.448 CDT: RADIUS:  Message-Authenticato[80]  18
  Mar 22 12:56:00.448 CDT: RADIUS:   A2 57 B5 F2 A6 FB 46 71 D0 EA 26 54 95 90 F4 D0             [ WFq&T]
  Mar 22 12:56:00.448 CDT: RADIUS:  Vendor, Cisco       [26]  49
  Mar 22 12:56:00.448 CDT: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C72EC91A000002FC0A6CD698"
  Mar 22 12:56:00.448 CDT: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  Mar 22 12:56:00.448 CDT: RADIUS:  NAS-Port            [5]   6   50106
  Mar 22 12:56:00.448 CDT: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/6"
  Mar 22 12:56:00.448 CDT: RADIUS:  NAS-IP-Address      [4]   6   199.46.201.26
  Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Started 5 sec timeout
  Mar 22 12:56:01.454 CDT: RADIUS: Received from id 1645/19 10.199.33.20:1812, Access-Reject, len 20
  Mar 22 12:56:01.454 CDT: RADIUS:  authenticator 92 98 05 84 6E 4B CF DD - B5 D7 90 25 10 59 7B E7
  Mar 22 12:56:01.454 CDT: RADIUS(0000030C): Received from id 1645/19
  NGS log:
  rad_recv: Access-Request packet from host 199.46.201.26 port 1645, id=19, length=177
      User-Name = "[email protected]"
      User-Password = "5rRmpPt9"
      Framed-IP-Address = 199.46.201.231
      Service-Type = Outbound-User
      Message-Authenticator = 0xa257b5f2a6fb4671d0ea26549590f4d0
      Cisco-AVPair = "audit-session-id=C72EC91A000002FC0A6CD698"
      NAS-Port-Type = Ethernet
      NAS-Port = 50106
      NAS-Port-Id = "GigabitEthernet1/0/6"
      NAS-IP-Address = 199.46.201.26
  +- entering group authorize {...}
  [radius-user-auth]     expand: %{User-Name} -> [email protected]
  [radius-user-auth]     expand: %{User-Password} -> 5rRmpPt9
  [radius-user-auth]     expand: %{NAS-IP-Address} -> 199.46.201.26
  [radius-user-auth]     expand: %{Calling-Station-Id} ->
  Exec-Program output:                          Note:  no attributes here
  Exec-Program: returned: 1
  ++[radius-user-auth] returns reject
  Delaying reject of request 12 for 1 seconds
  Going to the next request
  Waking up in 0.6 seconds.
  Similar debug from NGS but auth request from WLC: See attributes are sent to wlc although not needed
  rad_recv: Access-Request packet from host 10.100.16.100 port 32770, id=22, length=152
      User-Name = "[email protected]"
      User-Password = "5rRmpPt9"
      Service-Type = Login-User
      NAS-IP-Address = 10.100.16.100
      NAS-Port = 13
      NAS-Identifier = "ICTWLC01"
      NAS-Port-Type = Ethernet
      Airespace-Wlan-Id = 514
      Calling-Station-Id = "10.198.12.211"
      Called-Station-Id = "10.100.16.100"
      Message-Authenticator = 0xc9383e767f0c228a2b8a0ece7069f366
  +- entering group authorize {...}
  [radius-user-auth]     expand: %{User-Name} -> [email protected]
  [radius-user-auth]     expand: %{User-Password} -> 5rRmpPt9
  [radius-user-auth]     expand: %{NAS-IP-Address} -> 10.100.16.100
  [radius-user-auth]     expand: %{Calling-Station-Id} -> 10.198.12.211
  Exec-Program output: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
  Exec-Program-Wait: plaintext: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
  Exec-Program: returned: 0
  ++[radius-user-auth] returns ok
  [files] users: Matched entry DEFAULT at line 1
  ++[files] returns ok
  Found Auth-Type = Accept
  Auth-Type = Accept, accepting the user
  +- entering group post-auth {...}
  [sql]     expand: %{User-Name} -> [email protected]
  [sql] sql_set_user escaped user --> '[email protected]'
  [sql]     expand: %{User-Password} -> 5rRmpPt9
  [sql]     expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', NOW()) -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('[email protected]', '5rRmpPt9', 'Access-Accept', NOW())
  rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('[email protected]', '5rRmpPt9', 'Access-Accept', NOW())
  rlm_sql (sql): Reserving sql socket id: 12
  rlm_sql_postgresql: Status: PGRES_COMMAND_OK
  rlm_sql_postgresql: query affected rows = 1
  rlm_sql (sql): Released sql socket id: 12
  ++[sql] returns ok
  Sending Access-Accept of id 22 to 10.100.16.100 port 32770
  Finished request 4.
  Going to the next request
  Waking up in 4.9 seconds.
  rad_recv: Accounting-Request packet from host 10.100.16.100 port 32770, id=30, length=170
  config:
  aaa new-model
  aaa authentication login default group radius
  aaa authentication login console group tacacs+ line
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization exec default group tacacs+ none
  aaa authorization auth-proxy default group radius
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting exec default stop-only group tacacs+
  aaa accounting commands 15 default stop-only group tacacs+
  ip device tracking
  ip auth-proxy auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
  ip auth-proxy proxy http login expired page file flash:expired.html
  ip auth-proxy proxy http login page file flash:login.html
  ip auth-proxy proxy http success page file flash:success.html
  ip auth-proxy proxy http failure page file flash:failed.html
  ip admission auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
  ip admission proxy http login expired page file flash:expired.html
  ip admission proxy http login page file flash:login.html
  ip admission proxy http success page file flash:success.html
  ip admission proxy http failure page file flash:failed.html
  ip admission name web-auth-guest proxy http inactivity-time 60
  dot1x system-auth-control
  identity policy FAILOPEN
  access-group PERMIT
  interface GigabitEthernet1/0/6
  switchport access vlan 301
  switchport mode access
  ip access-group pre-webauth-guest in
  no logging event link-status
  srr-queue bandwidth share 10 10 60 20
  queue-set 2
  priority-queue out
  mls qos trust device cisco-phone
  mls qos trust dscp
  no snmp trap link-status
  auto qos voip cisco-phone
  spanning-tree portfast
  spanning-tree bpduguard enable
  service-policy input AutoQoS-Police-CiscoPhone
  ip admission web-auth-guest
  ip http server
  ip http secure-server
  ip access-list extended PERMIT
  permit ip any any
  ip access-list extended pre-webauth-guest
  permit udp any any eq bootps
  permit udp any any eq domain
  permit tcp any host 10.199.33.20 eq 8443
  permit tcp any host 10.199.33.21 eq 8443
  permit tcp any host 10.100.255.90 eq 8443
  deny   ip any any log
  ip radius source-interface Vlan301
  radius-server attribute 8 include-in-access-req
  radius-server dead-criteria tries 2
  radius-server host 10.199.33.20 auth-port 1812 acct-port 1813 key 7 022E5C782C130A74586F1C0D0D
  radius-server vsa send authentication
  I get the login and AUP page then the failed page... I never see the priv-lvl 15 or the proxyacl?  How do I do this with Guest server only?
  Help!

  Without the ACS, only with the NAC guest is possible?
  They can send me sample configuration?

• User and Device Security and Authentication

  i'm trying to configure user & device security & authentication by following "http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns430/ns855/white_paper_c11-492830.html" that has following confg.
  ============
  aaa new-model
  aaa group server radius authproxy
  server-private <ip address> auth-port 1812 acct-port 1813 key 0 <key>
  ip radius source-interface Vlan10
  aaa authorization auth-proxy default group authproxy
  ip inspect fw test tcp
  ip inspect fw test udp
  ip inspect fw test rtsp
  ip inspect fw test tftp
  ip inspect fw test skinny
  ip inspect name test sip
  ip inspect name test sip-tls
  ip admission auth-proxy-banner file http://10.34.250.98/disclaimer.htm
  ip admission auth-proxy-banner http ^
  This is the authentication proxy challenge
  ^
  ip admission max-login-attempts 6
  ! Configure 30 minutes of inactivity timeout.
  ! proxy_acl is the intercept ACL
  ip admission name pxy proxy http inactivity-time 30 list proxy_acl
  ip admission name test_proxy proxy http list proxy_acl
  interface Vlan10
  description inside interface
  ip inspect fw in
  ip access-group proxy_inbound_acl in
  ip admission test_proxy
  ip access-list extended proxy_acl
  remark --- Auth-Proxy ACL -----------
  ! Deny lines are used to bypass auth-proxy
  deny tcp any host 10.10.200.1 eq www
  ! auth-proxy will intercept http access matching the below permit lines
  permit tcp any 10.10.30.0 0.0.255 eq www
  ip access-list extended proxy_inbound_acl
  remark --- Auth-Proxy Inbound ACL which blocks the traffic ---
  ! Allow access to certain protcols
  permit udp any any eq domain
  permit udp any any eq netbios-ns
  permit udp any any eq netbios-dgm
  permit udp any any eq 5445
  permit tcp any any eq 5060
  permit tcp any any eq 5061
  permit tcp any any eq 2000
  permit tcp any any eq 2443
  permit udp any any eq tftp
  ! Block corporate subnets. If split tunneling is not enabled denying
  ! all traffic using
  ! "deny any any" is sufficient
  deny ip any 10.0.0.0 0.255.255.255
  Permit ip any any ! if split tunneling is enabled
  =========
  I've couple questions:
  1. "ip admission auth-proxy-banner file http://10.34.250.98/disclaimer.htm" - does it mean banner can reside anywhere or it has to be in the flash of the router?
  2. what does "proxy_acl" do?
  3. what does "proxy_inbound_acl" do?
  4. we don't want to all split tunneling, what should that acl look like?

  OK so basically what you need to do is doing EAP-TLS with Machince authentication.
  Yes, that can be done. However WHO is it going to be authenticating both? IAS? or ACS?
  Here it is a configuration example on how you can do this using ACS, doing it with IAS would be basically the same.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

• Is it possible to authenticate to proxy-auth automatically?

  Hello,
  We got a customer who want to allow some user (around 10) to access to the Internet and some not.
  So I was thinking auth-proxy may be the good solution.
  But is it possible to make a script (any config example?) who will allow the permitted user to access Internet without having to care or see this security level (so without having to give a username and a password).
  For information we are using DHCP and roaming profiles.
  Any Ideas?
  Many thanks in advances
  Gael

  As far as I know, you cannot do this

• Configuring AAA to include local auth for Console connections

  Recently realized, during a maintenance window, that my AAA configurations are not set to use local authentication if the AAA server is unavailable. Could use a little help in making sure I have the correct setup. Below is what I have configured today:
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authentication enable default group tacacs+
  aaa authorization auth-proxy default group tacacs+ 
  aaa accounting commands 15 default start-stop group tacacs+
  tacacs-server host x.x.x.x
  tacacs-server timeout 120
  tacacs-server directed-request
  tacacs-server key <key>

  Would I add that as a separate line, or to the current one? Examples:
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authentication enable default group tacacs+
  aaa authorization auth-proxy default group tacacs+ 
  aaa accounting commands 15 default start-stop group tacacs+
  aaa authorization console
      OR
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authentication enable default group tacacs+
  aaa authorization auth-proxy default group tacacs+ console
  aaa accounting commands 15 default start-stop group tacacs+

• Web-Proxy(cut-through) without ACS on 55xx

  Is it possible? All I have read about it requires an external server.

  I think that is a limitation of IOS Auth-Proxy and not ASA/PIX Cut-Through.
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfauthp.htm#wp1001164
  However AFAIK you can only authenticate using local password database and not authorize using it (for CUT-THRUOGH). Have a look at this table:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wp1069492
  Please rate if helpful.
  Regards
  Farrukh

• Wireless Downstream of a Proxy Server (AllegroSurf)

  Anyone know how I should go about setting up a wireless setup downstream of my AllegroSurf Proxy Server. Not sure how to get started. Have a new Linksys Router and having difficulty.
  Thx,
  Chuck

  Is Sonic Wall an authenticated proxy?  
  If so, say good bye to most apps, many apps either fail silently on connecting or even crash behind authenticated proxies - even when the authentication details are supplied in the wireless config
  I have iPads behind a smoothwall proxy (non-auth) and we have a proxy.pac file on our managment server.
  This proxy.pac (http://ipad/proxy.pac - set in Auto ) directs all iPad traffic to the smoothwall proxy, rather then our default auth proxy.
  Smoothwall can insert the authentication, and then direct it to your Sonic Wall

• Firefox MAC v30 with proxy needs authenticate"Cache Access Denied" sorry, you are not currently allowed to request: from this cache until you have authenticated

  Firefox was working perfectly before we've updated it to version 30.0. It seems that the new version does not like our Proxy setting which needs users to auth with their AD accounts.
  In the past version, Firefox will pop-up a box that allow you to type in the username and password, which works perfect. However, it does not pop-up anymore and gives me this error message.
  The following error was encountered:
  Cache Access Denied.
  Sorry, you are not currently allowed to request:
  http://www.google.com.au/url?
  from this cache until you have authenticated yourself.
  I try to manually set up the username in key chain and allow firefox to access it but Firefox seems do not access that key chain at all.
  Is anyone have the issue with the proxy which needs authenticate in Firefox30.0? Does anyone know the possible solutions?
  Many thanks!
  Shuopan
  ------------------------------------trouble shoot update-----------------------------------------
  Quite interestingly, Firefox will work for 1 minute after I am using Safari with that Auth proxy. However, if I am not touching Safari for 1 or 2 minutes, Firefox will stop working and pop up the similar error message.
  tried network.http.use-cache = false but not work
  Thanks

  Quite interestingly, Firefox will work for 1 minute after I am using Safari with that Auth proxy. However, if I am not touching Safari for 1 or 2 minutes, Firefox will stop working and pop up the similar error message.
  Thanks

• Is IOS FW Proxy Authentication Compatible w/ HTTPS server?

  Can proxy authentication be triggered via https as well as http? The document below on auth proxy only mentions http.
  But the following document on https shows that https is triggered by adding secure-server parameter to the end of "ip http". "ip http secure-serer". If anyone's tried this out - would be interested to know the result. Thanks.
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00804c3d75.html
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1833/products_feature_guide09186a00800d9eee.html

  I have tried this and it works. If you specify "ip http secure-server" command, the "Username/Password" dialogue between the end client and the authenticating agent will be secured. Otherwise the username/password is sent in clear text.

• Strange problem with cut-through proxy

  hi
  i have configured cut- through proxy on the router with acs.i am facing a strange problem .
  my routers's ethernet 3/0 interface ip add is 10.1.1.1/24 and the acs server is 10.1.1.2/24 and the host ip is 10.1.1.3/24
  my routers' e2/0 interface is connected a server running a website .
  int e2/0
  no shutdown
  ip add 20.1.1.1/24
  exit
  the webserver is running on 20.1.1.2
  my router's config
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authorization auth-proxy default group tacacs+
  aaa authorization exec default group tacacs+
  tacacs-server host 10.1.1.2
  tacacs-server key cisco
  ip http server
  ip http authentication aaa
  ip access-list 101 permit tcp host 10.1.1.2 eq tacacs host 10.1.1.1
  ip auth-proxy name auth http
  int e3/0
  no shutdown
  ip add 10.1.1.1/24
  ip access-group 101 in
  ip auth-proxy auth
  exit
  on the acs server in the tacacs+ ios
  i have selected auth-proxy in the services for users and groups
  i have created a user john with privilege level 15
  have selected auth-proxy and custom attributes
  proxyacl#1=permit tcp any any priv-lvl=15
  i get the auth-proxy login page when the host on 10.1.1.3 is trying to access 20.1.1.2 web site .
  after putting the login credentials i get authentication failed
  i tried the debug. i see the router is sending the authentication login and password and getting the status from the acs as pass. i also see the auth-proxy triggered. in there i see
  AUTH-PROXY PROTOCOL NOT CONFIGURED.
  could someone pls help me what could be the problem. i am have tried many times to get this work. but not fortunate enough.
  am i missing on any commands on the router or on the acs. i tried doing as the example mentioned in the student guide but still failed. pls help. waiting for some reply.
  sebastan

  Check out the following link...
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b5e.html