After you have configured AP, you can use various show, clear, and debug commands to examine and troubleshoot your configuration. The following sections cover the use of these commands.
These are the basic show commands that you use for AP:
show [ip] access-list? Displays the router's ACLs, including dynamic entries created by AP
show ip auth-proxy configuration? Displays the AP configuration on the router
show ip auth-proxy cache? Displays the status of users who are being authenticated or who have authenticated
show ip auth-proxy watch-list? Displays information in the watch list
I look at the show ip access-list command first. Example 14-4 shows a sample of this command before a user has authenticated (this ACL is applied inbound on the external interface).
Router# show ip access-list
Extended IP access list 100
permit tcp any host 192.1.1.1 eq www
deny ip any any
In Example 14-4, only traffic to the internal web server (193.1.1.1) is allowed. This is required for AP to work. Example 14-5 shows simple output after a user successfully has authenticated.
Router# show ip access-list Extended IP access list 100 ! Here are the dynamic ACL entries created from the ! user's authentication. permit icmp host 200.1.1.1 192.1.1.0 0.0.0.255 permit tcp host 200.1.1.1 192.1.1.2 eq www permit tcp any host 192.1.1.1 eq www (64 matches) deny ip any any
As you can see in Example 14-5, two dynamic ACL entries were created for user 200.1.1.1.
To view your router's AP configuration, use the show ip auth-proxy command, as shown in Example 14-6.
router# show ip auth-proxy configuration
Authentication global cache time is 60 minutes
Authentication global absolute time is 0 minutes
Authentication Proxy Rule Configuration
Auth-proxy name AP-rules
http list not specified auth-cache-timeout 60 minutes
In Example 14-6, only one policy was created: AP-rules. This policy did not specify an ACL and did not change the timers for the policy.
After you have configured AP, have a user initiate a connection that will cause AP to function. When the user authenticates, you can see the authenticated user information with the show ip auth-proxy cache command, as shown in Example 14-7.
Router# show ip auth-proxy cache
Authentication Proxy Cache
Client IP 200.1.1.1 Port 32835, timeout 60, state HTTP_ESTAB
As you can see in Example 14-7, one user (200.1.1.1) has been authenticated through HTTP (HTTP_ESTAB). HTTP_ESTAB indicates that the client successfully was authenticated through HTTP.
To see information in the watch list, assuming that you have enabled this feature, use the command shown in Example 14-8.
Router# show ip auth-proxy watch-list
Authentication Proxy Watch-list is enabled
Watch-list expiry timeout is 30 minutes
Total number of watch-list entries: 2
Source IP Type Violation-count
201.1.1.1 MAX_RETRY MAX_LIMIT
200.1.1.1 CFGED N/A
Total number of watch-listed users: 2
In Example 14-8, the first line of output shows that watch lists are enabled; and the second line shows the expiry timeout. Currently, two entries are in the table. The first entry, 201.1.1.1, was placed there because the user tried to authenticate and failed, exceeding the maximum login threshold. The second entry manually was added to the watch list (CFGED).
This section covers two clear commands that AP supports. As I mentioned earlier, authenticated users remain in AP's cache until either the idle or the absolute (if enabled) expire for the user. However, you manually can remove an AP entry from the router's cache by using the following clear command:
Router# clear ip auth-proxy cache {* | user's_IP_address}
If you use the *, all entries are cleared; if you specify a user's IP address, only that IP address is cleared from the router's AP cache. When a user is cleared from the cache, all corresponding dynamic ACL entries are removed and the user must reauthenticate to access previously authorized resources.
The second clear command deals with watch lists:
Router# clear ip auth-proxy watch-list {user's_IP_address | *}
In this example, you can clear a specific user or all users from the watch list (blacklist). This command clears manually entered watch-list entries as well as those that the Cisco IOS dynamically put there because of failed authentication attempts.
For detailed troubleshooting of AP, you can use the debug ip auth-proxy command. Here is the syntax for this command:
Router# debug ip auth-proxy {ftp | function-trace | http | object-creation | object-deletion | tcp | telnet | timer}
Table 14-2 describes the parameters for this command.
Parameter | Description |
---|---|
ftp | FTP AP events are shown. |
function-trace | AP functions are shown (this command typically is not used, unless by Cisco TAC personnel). |
http | HTTP AP events are shown. |
object-creation | New AP cache entries are shown. |
object-deletion | Removed AP cache entries are shown. |
tcp | TCP AP events are shown. |
telnet | Telnet AP events are shown. |
timer | AP events related to timers are shown. |