https://community.cisco.com/t5/application-networking/aaa-on-webui-4710/m-p/1130980#M23307 <HTML><HEAD></HEAD><BODY><P>Exactly my issue too, which begs the question of what the "ft-port" command actually does if you don't need it to get FT working...</P><P></P><P>Andrew.</P><P></P></BODY></HTML> Wed, 22 Oct 2008 14:57:54 GMT andrew.burns 2008-10-22T14:57:54Z https://community.cisco.com/t5/application-networking/aaa-on-webui-4710/m-p/1130975#M23302 <P>I have AAA configured and working on an ACE 4710 appliance for SSH. The web interface only works with the local database. I don't see anything in the security guide about the web interface (only states telnet and ssh). Anyone else seeing this?</P> Wed, 22 Oct 2008 13:24:02 GMT https://community.cisco.com/t5/application-networking/aaa-on-webui-4710/m-p/1130975#M23302 Collin Clark 2008-10-22T13:24:02Z https://community.cisco.com/t5/application-networking/aaa-on-webui-4710/m-p/1130976#M23303 <HTML><HEAD></HEAD><BODY><P>Hi Collin,</P><P></P><P>It does work - I have two in our lab that I've set up for AAA and it works fine.</P><P></P><P>Check this out:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/UGadmin.html#wp1244296" target="_blank">http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/UGadmin.html#wp1244296</A></P><P></P><P>I only have one local user (admin) and all others on ACS Server, using this test ACE config:</P><P></P><P>tacacs-server host 1.2.3.4 key cisco</P><P>aaa group server tacacs+ TACACS</P><P> server 1.2.3.4</P><P>aaa authentication login default group TACACS local </P><P>aaa authentication login console none </P><P>aaa accounting default group TACACS local </P><P>aaa authentication login error-enable</P><P></P><P>ACS Server needs some special config though, which is detailed here:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html#wp1411787" target="_blank">http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html#wp1411787</A></P><P></P><P>HTH</P><P>Andrew.</P><P></P></BODY></HTML> Wed, 22 Oct 2008 14:12:54 GMT https://community.cisco.com/t5/application-networking/aaa-on-webui-4710/m-p/1130976#M23303 andrew.burns 2008-10-22T14:12:54Z https://community.cisco.com/t5/application-networking/aaa-on-webui-4710/m-p/1130977#M23304 <HTML><HEAD></HEAD><BODY><P>Andrew-</P><P></P><P>I had the correct config, except for the following line-</P><P></P><P>aaa accounting default group TACACS local </P><P></P><P>I don't understand how accounting would enable the WebUI AAA access, but it works now. Thanks.</P><P></P><P>Two ACEs in your lab? Lucky dog!</P></BODY></HTML> Wed, 22 Oct 2008 14:22:36 GMT https://community.cisco.com/t5/application-networking/aaa-on-webui-4710/m-p/1130977#M23304 Collin Clark 2008-10-22T14:22:36Z https://community.cisco.com/t5/application-networking/aaa-on-webui-4710/m-p/1130978#M23305 <HTML><HEAD></HEAD><BODY><P>that wouldn't be the first bit of CLI weirdness - I need two ACE's to validate that the FT works and I've yet to have an explanation of why I need to change the native VLAN to get FT working....</P><P></P><P>Andrew.</P><P></P></BODY></HTML> Wed, 22 Oct 2008 14:29:50 GMT https://community.cisco.com/t5/application-networking/aaa-on-webui-4710/m-p/1130978#M23305 andrew.burns 2008-10-22T14:29:50Z https://community.cisco.com/t5/application-networking/aaa-on-webui-4710/m-p/1130979#M23306 <HTML><HEAD></HEAD><BODY><P>I had some trouble with FT as well and opened a case up. I was configuring FT as below-</P><P></P><P>interface gigabitEthernet 1/3</P><P> description FT Access Port</P><P> speed 100M</P><P> duplex FULL</P><P> ft-port vlan 200 </P><P> no shutdown</P><P></P><P>I was receiving a ton of errors on my switch ports. I hard set everything, auto everything, and still a bunch of errors. I then tried to trunk on my switch ports and they came up just fine. In the WebUI I could not set the port to trunk or switch (both grayed out) and I got an error stating it was an FT port and you can't configure it. After some more troubleshooting, we found out that the ft-port command forces the port in trunk mode (TAC wanted the port in switchport mode). By removing the ft-port command, you can set the port to switchport and set it to whatever vlan you want. Here is my current working port config-</P><P></P><P>interface gigabitEthernet 1/3</P><P> description FT Access Port</P><P> speed 100M</P><P> duplex FULL</P><P> switchport access vlan 200</P><P> no shutdown</P><P></P><P>When I asked for an explanation, they stated that the fact about the ft-port forces it to trunk and that option is there in case you want to trunk your FT traffic with your data traffic!</P><P></P></BODY></HTML> Wed, 22 Oct 2008 14:39:48 GMT https://community.cisco.com/t5/application-networking/aaa-on-webui-4710/m-p/1130979#M23306 Collin Clark 2008-10-22T14:39:48Z https://community.cisco.com/t5/application-networking/aaa-on-webui-4710/m-p/1130980#M23307 <HTML><HEAD></HEAD><BODY><P>Exactly my issue too, which begs the question of what the "ft-port" command actually does if you don't need it to get FT working...</P><P></P><P>Andrew.</P><P></P></BODY></HTML> Wed, 22 Oct 2008 14:57:54 GMT https://community.cisco.com/t5/application-networking/aaa-on-webui-4710/m-p/1130980#M23307 andrew.burns 2008-10-22T14:57:54Z