Troubleshooting auth-proxy

Troubleshooting auth-proxy

Troubleshooting auth-proxy is fairly simple. Most of the problems that arise with auth-proxy are caused by misconfiguration and lack of understanding. Take steps to resolve the following questions to troubleshoot any auth-proxy-related issues.

Step 1.
Are you sending HTTP/HTTPS/FTP/Telnet traffic across the router or to the interface?

Be sure you are sending initial traffic across the router, not to the router's directly connected interface towards the client. The first packet must be routed to another interface of the router for the router to trigger auth-proxy. If you do not see the User Name and Password prompt for the auth-proxy, you may be sending packets to the interface of the router instead of through the interface.

Step 2.
Do you get the authentication prompt?

If you are sending the initial packets across the router and still don't get the authentication prompt, be sure you have applied the auth-proxy under the interface.

Step 3.
Is the ACL allowing First Authentication Packet to the incoming interface ACL?

You must define an inbound ACL on the interface facing towards the client so that it denies all the traffic that you want to authenticate. However, the client's HTTP/HTTPS/FTP/Telnet traffic must be permitted to the interface itself. So, even though the client will attempt connection across the router, that connection will be redirected by the router to the interface where auth-proxy is configured. Hence, the ACL that is applied on the interface, where auth-proxy name is applied, should allow HTTP, HTTPS, Telnet, or FTP traffic to the interface IP address from the auth-proxy client. Otherwise, the connection request by the auth-proxy client across the router will be dropped by the ACL before triggering the auth-proxy. After authenticated and authorized, the downloadable ACL from the AAA server will decide which connections are allowed or denied by the router for the traffic that goes across the router.
Step 4.
If Steps 13 are verified and you get the authentication prompt, but authentication fails, the problem is with authentication and or authorization (refer to Chapter 9, "Troubleshooting AAA on IOS Routers"). If you run debug aaa authentication, debug aaa authorization, and debug radius or debug tacacs, and if you are having AAA issues, Table 5-5 will help in identifying the cause of the problem.