Verifying and Troubleshooting AP

After you have configured AP, you can use various show, clear, and debug commands to examine and troubleshoot your configuration. The following sections cover the use of these commands.

show Commands

These are the basic show commands that you use for AP:

show [ip] access-list? Displays the router's ACLs, including dynamic entries created by AP
show ip auth-proxy configuration? Displays the AP configuration on the router
show ip auth-proxy cache? Displays the status of users who are being authenticated or who have authenticated
show ip auth-proxy watch-list? Displays information in the watch list

I look at the show ip access-list command first. Example 14-4 shows a sample of this command before a user has authenticated (this ACL is applied inbound on the external interface).

Example 14-4. An ACL Before AP Occurs


Router# show ip access-list

Extended IP access list 100

 permit tcp any host 192.1.1.1 eq www

 deny ip any any

In Example 14-4, only traffic to the internal web server (193.1.1.1) is allowed. This is required for AP to work. Example 14-5 shows simple output after a user successfully has authenticated.

Example 14-5. An ACL After AP Occurs


Router# show ip access-list

Extended IP access list 100

! Here are the dynamic ACL entries created from the 

!     user's authentication.

 permit icmp host 200.1.1.1 192.1.1.0 0.0.0.255

 permit tcp host 200.1.1.1 192.1.1.2 eq www

 permit tcp any host 192.1.1.1 eq www (64 matches)

 deny ip any any

As you can see in Example 14-5, two dynamic ACL entries were created for user 200.1.1.1.

To view your router's AP configuration, use the show ip auth-proxy command, as shown in Example 14-6.

Example 14-6. Viewing Your Router's AP Configuration


router# show ip auth-proxy configuration

Authentication global cache time is 60 minutes

Authentication global absolute time is 0 minutes

Authentication Proxy Rule Configuration

  Auth-proxy name AP-rules

    http list not specified auth-cache-timeout 60 minutes

In Example 14-6, only one policy was created: AP-rules. This policy did not specify an ACL and did not change the timers for the policy.

After you have configured AP, have a user initiate a connection that will cause AP to function. When the user authenticates, you can see the authenticated user information with the show ip auth-proxy cache command, as shown in Example 14-7.

Example 14-7. Viewing Authenticated AP Cached User Information


Router# show ip auth-proxy cache

Authentication Proxy Cache

 Client IP 200.1.1.1 Port 32835, timeout 60, state HTTP_ESTAB

As you can see in Example 14-7, one user (200.1.1.1) has been authenticated through HTTP (HTTP_ESTAB). HTTP_ESTAB indicates that the client successfully was authenticated through HTTP.

To see information in the watch list, assuming that you have enabled this feature, use the command shown in Example 14-8.

Example 14-8. Viewing AP's Watch List


Router# show ip auth-proxy watch-list

Authentication Proxy Watch-list is enabled

Watch-list expiry timeout is 30 minutes

Total number of watch-list entries: 2



 Source IP       Type         Violation-count

 201.1.1.1       MAX_RETRY    MAX_LIMIT

 200.1.1.1       CFGED        N/A

Total number of watch-listed users: 2

In Example 14-8, the first line of output shows that watch lists are enabled; and the second line shows the expiry timeout. Currently, two entries are in the table. The first entry, 201.1.1.1, was placed there because the user tried to authenticate and failed, exceeding the maximum login threshold. The second entry manually was added to the watch list (CFGED).

clear Commands

This section covers two clear commands that AP supports. As I mentioned earlier, authenticated users remain in AP's cache until either the idle or the absolute (if enabled) expire for the user. However, you manually can remove an AP entry from the router's cache by using the following clear command:


Router# clear ip auth-proxy cache {* | user's_IP_address}

If you use the *, all entries are cleared; if you specify a user's IP address, only that IP address is cleared from the router's AP cache. When a user is cleared from the cache, all corresponding dynamic ACL entries are removed and the user must reauthenticate to access previously authorized resources.

The second clear command deals with watch lists:


Router# clear ip auth-proxy watch-list {user's_IP_address | *}

In this example, you can clear a specific user or all users from the watch list (blacklist). This command clears manually entered watch-list entries as well as those that the Cisco IOS dynamically put there because of failed authentication attempts.

debug Commands

For detailed troubleshooting of AP, you can use the debug ip auth-proxy command. Here is the syntax for this command:


Router# debug ip auth-proxy {ftp | function-trace | http |

  object-creation | object-deletion | tcp | telnet | timer}

Table 14-2 describes the parameters for this command.

Table 14-2. Options for the debug ip auth-proxy Command
Parameter	Description
ftp	FTP AP events are shown.
function-trace	AP functions are shown (this command typically is not used, unless by Cisco TAC personnel).
http	HTTP AP events are shown.
object-creation	New AP cache entries are shown.
object-deletion	Removed AP cache entries are shown.
tcp	TCP AP events are shown.
telnet	Telnet AP events are shown.
timer	AP events related to timers are shown.