Ip admission auth-proxy
Platform: 881W
IOS: C880-DATA-UNIVERSALK9-M 15.0(1)M3
License: I have tried both advsecurity and advipservices
Problem: Configuring an auth-proxy redirect on seccessful authentication
Cisco's documentation states that when you are configuring auth-proxy, you may specify a url in which the clients will be redirected to when successfully authenticated. The command is:
ip admission proxy http success redirect <url-string>
However, the command does not seem to exist on many of the latter IOS versions. I am also unable to find any documentation with alternate methods of sending a redirection to the client after a successful authentication. Is this command depricated? Is there a more efficient method of redirecting?
Documentation I am using:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_52_se/configuration/guide/swwebauth.html#wp1103789
Thank you,
Dan
Hello,
Can anyone here help me call a URL that has an image into my consent page?
I have an html page in the flash of the router called consent_page.html Here are two diffent methods I am using to attempt to get the logo to show up in the consent page. Any ideas how to make this part work? Everything else works.
http://www.officemax.com"> SRC="/logo.gif" ALT="Company" WIDTH=246 HEIGHT=48>
http://www.officemax.com"> SRC="http://www.officemax.com/images//header/logo.png" ALT="OfficeMax" WIDTH=246 HEIGHT=48>
Warning!
The web site you have tried to access may not conform to the company's Acceptable Usage Policy
If you want to continue to this website click the "Accept" button below to proceed which will give you temporary access to this website. Please note that all web access is monitored.
Free Internet Hotspot
Terms of Service Agreement
Company provides free Internet access under the condition that you agree to abide by the restrictions below.
Responsibility of Use
You are responsible for all content distributed, accessed, or viewed while connected to this service. Company is not liable for your actions while using this service.
Limitation of Liability
Company is not liable for any damages which result from your use of this service.
Similar Messages
-
ACS-Auth-proxy Security misconfig
Hi,
I have an issue with ACS and authentication proxy. It turns out that I want users to have only one session at a given time, but the ACS is allowing more than one session per user.
Imagine the following sequence of events:
1) user A logs in ok
2) another user A tries to log in and is correctly blocked
3) user B logs in ok
4) another user B tries to log in and is correctly blocked
5) If at this point another user A tries to log in, it is not blocked
and I have the same user A account logged in twice.
At this point, I can log another user B, without problem, resulting in two accounts conected for user B, wich is not what I want.
The router config is attached.
On the ACS Server, I have the User max session set to 1, and the auth-proxy priv-lvl is as follows:
priv-lvl=15
proxyacl#1=deny tcp any host 10.10.10.1 eq telnet ! this is to prevent users from telnetting into the rtr.
proxyacl#2=permit ip any any
proxyacl#3=permit icmp any any
Any help you can provide, will be greatly appreciated.
Regards,
EduardoThanks for your reply, Darran.
Yes, I have lines for accounting for things that I do not even plan to use, just to be on the safe side:
aaa new-model
aaa group server tacacs+ Oasis
server 10.10.10.5
aaa authentication login default group Oasis none
aaa authorization exec default group Oasis none
aaa authorization commands 15 default group Oasis none
aaa authorization auth-proxy default group Oasis local
aaa accounting send stop-record authentication failure
aaa accounting auth-proxy default start-stop group Oasis
aaa accounting commands 15 default start-stop group Oasis
aaa accounting network default start-stop group Oasis
aaa accounting system default start-stop group tacacs+ group Oasis
aaa accounting resource default start-stop group Oasis
aaa session-id common
ip dhcp relay information trust-all
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp pool Oasis_dhcp
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
lease infinite
update arp
ip auth-proxy auth-proxy-banner http
ip auth-proxy auth-proxy-audit
ip auth-proxy name acceso http inactivity-time 60
ip admission auth-proxy-banner http
ip admission auth-proxy-audit
ip name-server xxx.xxx.xxx.xxx
interface Vlan1
description Switch Ethernet 4Ptos 10-100
ip dhcp relay information trusted
ip dhcp client update dns
ip address 10.10.10.1 255.255.255.0
ip access-group 150 in
ip auth-proxy acceso
ip http server
ip http authentication aaa
no ip http secure-server
ip nat inside source list 20 interface Dialer1 overload
Also, on the ACS, I have the Max sessions set to 1, but on the acs reports, I do not see any port re-used message.
I have a lab with 4 pc?s and the ACS server (Win2003, standard).
Again, thanks for your interest.
Eduardo -
Ip auth-proxy form action is always IP address for HTTPS?
I am trying to set up an ip auth-proxy on a 1840.
It works, but results in https certificate error, as the authentication form is always submitted back to router using IP address in URL and not domain name that is in the certificate.
... <form method="post" action="https://10.10.10.11:443" target="pxywindow1"> ...
Is there a way to make router send the form with domain name or at least relative URL and not IP address?
With this certificate error, the feature cannot be possibly used in production environment.
Thanks!
SergeyFigured it out: I had not put in a default aaa authentication login default tacacas+ command. I didn't think it was necessary. I was wrong.
-
Can somebody explain me meaning of follwoing commands in the link given below.
1)aaa authentication login default local group RTP none
In this command default is local will it prompt user to TACACS 1st.
2)ip auth−proxy name list_a http and ip auth−proxy list_a
what is the meaning of putting these command .
3) access−list 116 permit tcp host 40.31.1.47 host 40.31.1.150 eq www
why this access-list is required.
4) there is no access-list from host to webserver ??
3)
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a0080094655.shtml1> This command will try first to authenticate using a local database (username john password 0 doe
) if it returns an error (if you dont set any username, I believe) it will try the TACACS server.
2>ip auth-proxy name list_a http
This command creates a named authentication proxy rule, and it allows you to associate that rule with an access control list (ACL), providing control over which hosts use the authentication proxy.
Because an access list is not specified in the rule, all connection-initiating HTTP traffic is subjected to authentication.
ip auth-proxy list_a
The rule is applied to an interface on a router using this command
3>
ACL 116 is blocking traffic from the host 10.31.1.47 to other webservers (it only allows it to talk with the router).
After authenticating , new lines will be added to the front of the ACL and then it will be allowed to talk to the webserver.
HTH,
rate this post if it does,
vlad -
Hi, everyone
I have a puzzle with ASA auth-proxy authentication timeout. I want to achieve the inactivity timeout, that is, when there are some traffic btw client and host through ASA after user authenticated, cache timeout timer don't work. When traffic is end, cache timeout timer work again.
but when I configurate the ASA 7.0, I found if I have configurate the ASA timeout timer as absolute with the following command:
timeout uauth 0:05:00 absolute
I cannot change the timer to inactivity,
but can changed to as below
timeout uauth 0:05:00 absolute uauth 0:05:00 inactivity
what is its meaning?
and can user authentication timer change to inactivity?
very thanksUse the timeout uauth absolute & inactivity values locally.
Try the bug CSCsg52108
http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/t_711.html#wp1318629 -
Hi,
I need to allow and deny some user to go to the Internet, but I want to allow/deny only for http traffic.
For exemple I dont want any user to have to authenticate if they want to use ftp.
Is it possible with the auth-proxy? if yes any configuration exemple?
In the exemple I saw, the user had to authenticate to then allow his computer to send any packet to the Internet.
Thanks for your help.
Cheers GaelAuth-proxy will authenticate the user only via HTTP, before they can send ANY traffic out. Going by your description this is not what you want.
Lock-and-Key might be more what you want. See here for details:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scflock.htm
You could define an ACL to the inside interface allowing everything EXCEPT HTTP/HTTPS. Users doing FTP can just go straight out as normal then. Then define dynamic entries to this ACL that allow all traffic. For anyone to go out with HTTP/HTTPS they'd have to telnet to the router first, put in their login credentials, then they can browse out. Something like the following should work for you:
interface ethernet0
description Inside interface
ip address 10.1.1.1 255.255.255.0
ip access-group 101 in
access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 80
access-list 101 deny tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 dynamic mytestlist timeout 120 permit ip any any
line vty 0 4
login local
autocommand access-enable host timeout 5
It takes a bit of user education in that they will have to be told how to use this (first telnet to the router at 10.1.1.1, login, then you can use HTTP traffic outbound), but should give you what you want. -
Wired WebAuth only with NAC Guest Server (No ACS)
Ok, I have been fighting this for two days now. I want to use the webauth function on some of our Cisco 3750Gs ver
12.2(55)SE5 for guest access. I'm trying to use our NAC Guest Server ver: 2.0.3 as the backend portal and Radius server. We do not have ACS or any of the other components of ISE or NAC. I think the issue is the NGS server is not sending the d(ACL) back to switch. Guest work work fine from our WLCs.
switch debug: No Attributes in swtich debug
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Config NAS IP: 199.46.201.26
Mar 22 12:56:00.448 CDT: RADIUS/ENCODE(0000030C): acct_session_id: 1012
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): sending
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Send Access-Request to 10.199.33.20:1812 id 1645/19, len 177
Mar 22 12:56:00.448 CDT: RADIUS: authenticator 99 95 59 55 09 A9 D9 E1 - 2B 01 90 36 1B 8A 41 92
Mar 22 12:56:00.448 CDT: RADIUS: User-Name [1] 20 "[email protected]"
Mar 22 12:56:00.448 CDT: RADIUS: User-Password [2] 18 *
Mar 22 12:56:00.448 CDT: RADIUS: Framed-IP-Address [8] 6 199.46.201.231
Mar 22 12:56:00.448 CDT: RADIUS: Service-Type [6] 6 Outbound [5]
Mar 22 12:56:00.448 CDT: RADIUS: Message-Authenticato[80] 18
Mar 22 12:56:00.448 CDT: RADIUS: A2 57 B5 F2 A6 FB 46 71 D0 EA 26 54 95 90 F4 D0 [ WFq&T]
Mar 22 12:56:00.448 CDT: RADIUS: Vendor, Cisco [26] 49
Mar 22 12:56:00.448 CDT: RADIUS: Cisco AVpair [1] 43 "audit-session-id=C72EC91A000002FC0A6CD698"
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port [5] 6 50106
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port-Id [87] 22 "GigabitEthernet1/0/6"
Mar 22 12:56:00.448 CDT: RADIUS: NAS-IP-Address [4] 6 199.46.201.26
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Started 5 sec timeout
Mar 22 12:56:01.454 CDT: RADIUS: Received from id 1645/19 10.199.33.20:1812, Access-Reject, len 20
Mar 22 12:56:01.454 CDT: RADIUS: authenticator 92 98 05 84 6E 4B CF DD - B5 D7 90 25 10 59 7B E7
Mar 22 12:56:01.454 CDT: RADIUS(0000030C): Received from id 1645/19
NGS log:
rad_recv: Access-Request packet from host 199.46.201.26 port 1645, id=19, length=177
User-Name = "[email protected]"
User-Password = "5rRmpPt9"
Framed-IP-Address = 199.46.201.231
Service-Type = Outbound-User
Message-Authenticator = 0xa257b5f2a6fb4671d0ea26549590f4d0
Cisco-AVPair = "audit-session-id=C72EC91A000002FC0A6CD698"
NAS-Port-Type = Ethernet
NAS-Port = 50106
NAS-Port-Id = "GigabitEthernet1/0/6"
NAS-IP-Address = 199.46.201.26
+- entering group authorize {...}
[radius-user-auth] expand: %{User-Name} -> [email protected]
[radius-user-auth] expand: %{User-Password} -> 5rRmpPt9
[radius-user-auth] expand: %{NAS-IP-Address} -> 199.46.201.26
[radius-user-auth] expand: %{Calling-Station-Id} ->
Exec-Program output: Note: no attributes here
Exec-Program: returned: 1
++[radius-user-auth] returns reject
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.6 seconds.
Similar debug from NGS but auth request from WLC: See attributes are sent to wlc although not needed
rad_recv: Access-Request packet from host 10.100.16.100 port 32770, id=22, length=152
User-Name = "[email protected]"
User-Password = "5rRmpPt9"
Service-Type = Login-User
NAS-IP-Address = 10.100.16.100
NAS-Port = 13
NAS-Identifier = "ICTWLC01"
NAS-Port-Type = Ethernet
Airespace-Wlan-Id = 514
Calling-Station-Id = "10.198.12.211"
Called-Station-Id = "10.100.16.100"
Message-Authenticator = 0xc9383e767f0c228a2b8a0ece7069f366
+- entering group authorize {...}
[radius-user-auth] expand: %{User-Name} -> [email protected]
[radius-user-auth] expand: %{User-Password} -> 5rRmpPt9
[radius-user-auth] expand: %{NAS-IP-Address} -> 10.100.16.100
[radius-user-auth] expand: %{Calling-Station-Id} -> 10.198.12.211
Exec-Program output: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
Exec-Program-Wait: plaintext: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
Exec-Program: returned: 0
++[radius-user-auth] returns ok
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
[sql] expand: %{User-Name} -> [email protected]
[sql] sql_set_user escaped user --> '[email protected]'
[sql] expand: %{User-Password} -> 5rRmpPt9
[sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', NOW()) -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('[email protected]', '5rRmpPt9', 'Access-Accept', NOW())
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('[email protected]', '5rRmpPt9', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 12
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql): Released sql socket id: 12
++[sql] returns ok
Sending Access-Accept of id 22 to 10.100.16.100 port 32770
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.100.16.100 port 32770, id=30, length=170
config:
aaa new-model
aaa authentication login default group radius
aaa authentication login console group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ none
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
ip device tracking
ip auth-proxy auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
ip auth-proxy proxy http login expired page file flash:expired.html
ip auth-proxy proxy http login page file flash:login.html
ip auth-proxy proxy http success page file flash:success.html
ip auth-proxy proxy http failure page file flash:failed.html
ip admission auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
ip admission proxy http login expired page file flash:expired.html
ip admission proxy http login page file flash:login.html
ip admission proxy http success page file flash:success.html
ip admission proxy http failure page file flash:failed.html
ip admission name web-auth-guest proxy http inactivity-time 60
dot1x system-auth-control
identity policy FAILOPEN
access-group PERMIT
interface GigabitEthernet1/0/6
switchport access vlan 301
switchport mode access
ip access-group pre-webauth-guest in
no logging event link-status
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust dscp
no snmp trap link-status
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
ip admission web-auth-guest
ip http server
ip http secure-server
ip access-list extended PERMIT
permit ip any any
ip access-list extended pre-webauth-guest
permit udp any any eq bootps
permit udp any any eq domain
permit tcp any host 10.199.33.20 eq 8443
permit tcp any host 10.199.33.21 eq 8443
permit tcp any host 10.100.255.90 eq 8443
deny ip any any log
ip radius source-interface Vlan301
radius-server attribute 8 include-in-access-req
radius-server dead-criteria tries 2
radius-server host 10.199.33.20 auth-port 1812 acct-port 1813 key 7 022E5C782C130A74586F1C0D0D
radius-server vsa send authentication
I get the login and AUP page then the failed page... I never see the priv-lvl 15 or the proxyacl? How do I do this with Guest server only?
Help!Without the ACS, only with the NAC guest is possible?
They can send me sample configuration? -
User and Device Security and Authentication
i'm trying to configure user & device security & authentication by following "http://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns430/ns855/white_paper_c11-492830.html" that has following confg.
============
aaa new-model
aaa group server radius authproxy
server-private <ip address> auth-port 1812 acct-port 1813 key 0 <key>
ip radius source-interface Vlan10
aaa authorization auth-proxy default group authproxy
ip inspect fw test tcp
ip inspect fw test udp
ip inspect fw test rtsp
ip inspect fw test tftp
ip inspect fw test skinny
ip inspect name test sip
ip inspect name test sip-tls
ip admission auth-proxy-banner file http://10.34.250.98/disclaimer.htm
ip admission auth-proxy-banner http ^
This is the authentication proxy challenge
^
ip admission max-login-attempts 6
! Configure 30 minutes of inactivity timeout.
! proxy_acl is the intercept ACL
ip admission name pxy proxy http inactivity-time 30 list proxy_acl
ip admission name test_proxy proxy http list proxy_acl
interface Vlan10
description inside interface
ip inspect fw in
ip access-group proxy_inbound_acl in
ip admission test_proxy
ip access-list extended proxy_acl
remark --- Auth-Proxy ACL -----------
! Deny lines are used to bypass auth-proxy
deny tcp any host 10.10.200.1 eq www
! auth-proxy will intercept http access matching the below permit lines
permit tcp any 10.10.30.0 0.0.255 eq www
ip access-list extended proxy_inbound_acl
remark --- Auth-Proxy Inbound ACL which blocks the traffic ---
! Allow access to certain protcols
permit udp any any eq domain
permit udp any any eq netbios-ns
permit udp any any eq netbios-dgm
permit udp any any eq 5445
permit tcp any any eq 5060
permit tcp any any eq 5061
permit tcp any any eq 2000
permit tcp any any eq 2443
permit udp any any eq tftp
! Block corporate subnets. If split tunneling is not enabled denying
! all traffic using
! "deny any any" is sufficient
deny ip any 10.0.0.0 0.255.255.255
Permit ip any any ! if split tunneling is enabled
=========
I've couple questions:
1. "ip admission auth-proxy-banner file http://10.34.250.98/disclaimer.htm" - does it mean banner can reside anywhere or it has to be in the flash of the router?
2. what does "proxy_acl" do?
3. what does "proxy_inbound_acl" do?
4. we don't want to all split tunneling, what should that acl look like?OK so basically what you need to do is doing EAP-TLS with Machince authentication.
Yes, that can be done. However WHO is it going to be authenticating both? IAS? or ACS?
Here it is a configuration example on how you can do this using ACS, doing it with IAS would be basically the same.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml -
Is it possible to authenticate to proxy-auth automatically?
Hello,
We got a customer who want to allow some user (around 10) to access to the Internet and some not.
So I was thinking auth-proxy may be the good solution.
But is it possible to make a script (any config example?) who will allow the permitted user to access Internet without having to care or see this security level (so without having to give a username and a password).
For information we are using DHCP and roaming profiles.
Any Ideas?
Many thanks in advances
GaelAs far as I know, you cannot do this
-
Configuring AAA to include local auth for Console connections
Recently realized, during a maintenance window, that my AAA configurations are not set to use local authentication if the AAA server is unavailable. Could use a little help in making sure I have the correct setup. Below is what I have configured today:
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host x.x.x.x
tacacs-server timeout 120
tacacs-server directed-request
tacacs-server key <key>Would I add that as a separate line, or to the current one? Examples:
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa authorization console
OR
aaa new-model
aaa authentication login default group tacacs+
aaa authentication enable default group tacacs+
aaa authorization auth-proxy default group tacacs+ console
aaa accounting commands 15 default start-stop group tacacs+ -
Web-Proxy(cut-through) without ACS on 55xx
Is it possible? All I have read about it requires an external server.
I think that is a limitation of IOS Auth-Proxy and not ASA/PIX Cut-Through.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/ftrafwl/scfauthp.htm#wp1001164
However AFAIK you can only authenticate using local password database and not authorize using it (for CUT-THRUOGH). Have a look at this table:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wp1069492
Please rate if helpful.
Regards
Farrukh -
Wireless Downstream of a Proxy Server (AllegroSurf)
Anyone know how I should go about setting up a wireless setup downstream of my AllegroSurf Proxy Server. Not sure how to get started. Have a new Linksys Router and having difficulty.
Thx,
ChuckIs Sonic Wall an authenticated proxy?
If so, say good bye to most apps, many apps either fail silently on connecting or even crash behind authenticated proxies - even when the authentication details are supplied in the wireless config
I have iPads behind a smoothwall proxy (non-auth) and we have a proxy.pac file on our managment server.
This proxy.pac (http://ipad/proxy.pac - set in Auto ) directs all iPad traffic to the smoothwall proxy, rather then our default auth proxy.
Smoothwall can insert the authentication, and then direct it to your Sonic Wall -
Firefox was working perfectly before we've updated it to version 30.0. It seems that the new version does not like our Proxy setting which needs users to auth with their AD accounts.
In the past version, Firefox will pop-up a box that allow you to type in the username and password, which works perfect. However, it does not pop-up anymore and gives me this error message.
The following error was encountered:
Cache Access Denied.
Sorry, you are not currently allowed to request:
http://www.google.com.au/url?
from this cache until you have authenticated yourself.
I try to manually set up the username in key chain and allow firefox to access it but Firefox seems do not access that key chain at all.
Is anyone have the issue with the proxy which needs authenticate in Firefox30.0? Does anyone know the possible solutions?
Many thanks!
Shuopan
------------------------------------trouble shoot update-----------------------------------------
Quite interestingly, Firefox will work for 1 minute after I am using Safari with that Auth proxy. However, if I am not touching Safari for 1 or 2 minutes, Firefox will stop working and pop up the similar error message.
tried network.http.use-cache = false but not work
ThanksQuite interestingly, Firefox will work for 1 minute after I am using Safari with that Auth proxy. However, if I am not touching Safari for 1 or 2 minutes, Firefox will stop working and pop up the similar error message.
Thanks -
Is IOS FW Proxy Authentication Compatible w/ HTTPS server?
Can proxy authentication be triggered via https as well as http? The document below on auth proxy only mentions http.
But the following document on https shows that https is triggered by adding secure-server parameter to the end of "ip http". "ip http secure-serer". If anyone's tried this out - would be interested to know the result. Thanks.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00804c3d75.html
http://www.cisco.com/en/US/products/sw/iosswrel/ps1833/products_feature_guide09186a00800d9eee.htmlI have tried this and it works. If you specify "ip http secure-server" command, the "Username/Password" dialogue between the end client and the authenticating agent will be secured. Otherwise the username/password is sent in clear text.
-
Strange problem with cut-through proxy
hi
i have configured cut- through proxy on the router with acs.i am facing a strange problem .
my routers's ethernet 3/0 interface ip add is 10.1.1.1/24 and the acs server is 10.1.1.2/24 and the host ip is 10.1.1.3/24
my routers' e2/0 interface is connected a server running a website .
int e2/0
no shutdown
ip add 20.1.1.1/24
exit
the webserver is running on 20.1.1.2
my router's config
aaa new-model
aaa authentication login default group tacacs+
aaa authorization auth-proxy default group tacacs+
aaa authorization exec default group tacacs+
tacacs-server host 10.1.1.2
tacacs-server key cisco
ip http server
ip http authentication aaa
ip access-list 101 permit tcp host 10.1.1.2 eq tacacs host 10.1.1.1
ip auth-proxy name auth http
int e3/0
no shutdown
ip add 10.1.1.1/24
ip access-group 101 in
ip auth-proxy auth
exit
on the acs server in the tacacs+ ios
i have selected auth-proxy in the services for users and groups
i have created a user john with privilege level 15
have selected auth-proxy and custom attributes
proxyacl#1=permit tcp any any priv-lvl=15
i get the auth-proxy login page when the host on 10.1.1.3 is trying to access 20.1.1.2 web site .
after putting the login credentials i get authentication failed
i tried the debug. i see the router is sending the authentication login and password and getting the status from the acs as pass. i also see the auth-proxy triggered. in there i see
AUTH-PROXY PROTOCOL NOT CONFIGURED.
could someone pls help me what could be the problem. i am have tried many times to get this work. but not fortunate enough.
am i missing on any commands on the router or on the acs. i tried doing as the example mentioned in the student guide but still failed. pls help. waiting for some reply.
sebastanCheck out the following link...
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b5e.html
Maybe you are looking for
-
My photoshop CS4 keeps crashing while I am in the middle of editing a photo. I am running Mac OS X 10.9.4. I have tried to contact support and I was directed here.
-
LOV on Materialized View--Disco newbie
Hello Forum Members, I have a materialized view with Region Name as a field. I have create a parameter in Discoverer desktop[10g]. I am unable to get List of Values for the parameter.When I create the parameter based on a table I am getting list of v
-
Hi All, I am using jdev 11.1.1.4.0 I want to format the date on JSPX. table on JSPX is VO based, currousponding VO attrubute is, OptionValueDate having type as is String. It doesn't have EO. I am using convertDateTime like this, <af:column sortProper
-
I need someone to look at this site
I am working on a site for my parents radio show. (no i am not keeping the ugly buttons on the left, they are only there for now while i figure out what i am doing ;)) i have a movie clip towards the bottom of the stage that contains two lines of tex
-
I opened the box to my brand new Ipad 2. It turns on and connects fine. The problem is that the screeen does not react to any touch. What can be the problem?