Verifying and Troubleshooting AP

After you have configured AP, you can use various show, clear, and debug commands to examine and troubleshoot your configuration. The following sections cover the use of these commands.

show Commands

These are the basic show commands that you use for AP:

  • show [ip] access-list? Displays the router's ACLs, including dynamic entries created by AP

  • show ip auth-proxy configuration? Displays the AP configuration on the router

  • show ip auth-proxy cache? Displays the status of users who are being authenticated or who have authenticated

  • show ip auth-proxy watch-list? Displays information in the watch list

I look at the show ip access-list command first. Example 14-4 shows a sample of this command before a user has authenticated (this ACL is applied inbound on the external interface).

Example 14-4. An ACL Before AP Occurs

Router# show ip access-list

Extended IP access list 100

 permit tcp any host eq www

 deny ip any any

In Example 14-4, only traffic to the internal web server ( is allowed. This is required for AP to work. Example 14-5 shows simple output after a user successfully has authenticated.

Example 14-5. An ACL After AP Occurs

Router# show ip access-list

Extended IP access list 100

! Here are the dynamic ACL entries created from the 

!     user's authentication.

 permit icmp host

 permit tcp host eq www

 permit tcp any host eq www (64 matches)

 deny ip any any

As you can see in Example 14-5, two dynamic ACL entries were created for user

To view your router's AP configuration, use the show ip auth-proxy command, as shown in Example 14-6.

Example 14-6. Viewing Your Router's AP Configuration

router# show ip auth-proxy configuration

Authentication global cache time is 60 minutes

Authentication global absolute time is 0 minutes

Authentication Proxy Rule Configuration

  Auth-proxy name AP-rules

    http list not specified auth-cache-timeout 60 minutes

In Example 14-6, only one policy was created: AP-rules. This policy did not specify an ACL and did not change the timers for the policy.

After you have configured AP, have a user initiate a connection that will cause AP to function. When the user authenticates, you can see the authenticated user information with the show ip auth-proxy cache command, as shown in Example 14-7.

Example 14-7. Viewing Authenticated AP Cached User Information

Router# show ip auth-proxy cache

Authentication Proxy Cache

 Client IP Port 32835, timeout 60, state HTTP_ESTAB

As you can see in Example 14-7, one user ( has been authenticated through HTTP (HTTP_ESTAB). HTTP_ESTAB indicates that the client successfully was authenticated through HTTP.

To see information in the watch list, assuming that you have enabled this feature, use the command shown in Example 14-8.

Example 14-8. Viewing AP's Watch List

Router# show ip auth-proxy watch-list

Authentication Proxy Watch-list is enabled

Watch-list expiry timeout is 30 minutes

Total number of watch-list entries: 2

 Source IP       Type         Violation-count       MAX_RETRY    MAX_LIMIT       CFGED        N/A

Total number of watch-listed users: 2

In Example 14-8, the first line of output shows that watch lists are enabled; and the second line shows the expiry timeout. Currently, two entries are in the table. The first entry,, was placed there because the user tried to authenticate and failed, exceeding the maximum login threshold. The second entry manually was added to the watch list (CFGED).

clear Commands

This section covers two clear commands that AP supports. As I mentioned earlier, authenticated users remain in AP's cache until either the idle or the absolute (if enabled) expire for the user. However, you manually can remove an AP entry from the router's cache by using the following clear command:

Router# clear ip auth-proxy cache {* | user's_IP_address}

If you use the *, all entries are cleared; if you specify a user's IP address, only that IP address is cleared from the router's AP cache. When a user is cleared from the cache, all corresponding dynamic ACL entries are removed and the user must reauthenticate to access previously authorized resources.

The second clear command deals with watch lists:

Router# clear ip auth-proxy watch-list {user's_IP_address | *}

In this example, you can clear a specific user or all users from the watch list (blacklist). This command clears manually entered watch-list entries as well as those that the Cisco IOS dynamically put there because of failed authentication attempts.

debug Commands

For detailed troubleshooting of AP, you can use the debug ip auth-proxy command. Here is the syntax for this command:

Router# debug ip auth-proxy {ftp | function-trace | http |

  object-creation | object-deletion | tcp | telnet | timer}

Table 14-2 describes the parameters for this command.

Table 14-2. Options for the debug ip auth-proxy Command




FTP AP events are shown.


AP functions are shown (this command typically is not used, unless by Cisco TAC personnel).


HTTP AP events are shown.


New AP cache entries are shown.


Removed AP cache entries are shown.


TCP AP events are shown.


Telnet AP events are shown.


AP events related to timers are shown.