AAA and CNA?

robert_rhoads — Mon, 11 Mar 2019 01:21:38 GMT

I am trying to configure a 3750 switch for AAA? Telnet and SSH work fine but CNA and HTTP is not working. Both SSH and Telnet need to authenticate using RADIUS but CNA/HTTP needs to authenticate using a local account because the local administrator only uses the CNA for management and the admins in TACACS use CLI. Here is what I have so far.

aaa new-model

aaa authentication login default local group tacacs+

aaa authentication login con line

aaa authentication login http_auth local enable

aaa authorization config-commands

aaa authorization exec default local group tacacs+

aaa authorization exec http_auth local

aaa authorization commands 1 default local group tacacs+

aaa authorization commands 15 http_auth local

aaa authorization network default local group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa session-id common

ip http authentication aaa login-authentication http_auth

ip http authentication aaa exec-authorization http_auth

ip http authentication aaa command-authorization 15 http_auth

tacacs-server host X.X.X.X

tacacs-server directed-request

tacacs-server key 7 XXXXX

The debugs show the connection authenticating correctly.

170536: 48w1d: HTTP AAA Login-Authentication List name: http_auth

170537: 48w1d: HTTP AAA Exec-Authorization List name: http_auth

170538: 48w1d: AAA/BIND(000003FA): Bind i/f

170539: 48w1d: AAA/AUTHEN/LOGIN (000003FA): Pick method list 'http_auth'

170540: 48w1d: AAA/AUTHOR (0x3FA): Pick method list 'http_auth'

170541: 48w1d: HTTP: Priv level authorization success priv_level: 15

170542: 48w1d: HTTP: Priv level granted 15

170543: 48w1d: AAA/BIND(000003FB): Bind i/f

170544: 48w1d: HTTP AAA Login-Authentication List name: http_auth

170545: 48w1d: HTTP AAA Exec-Authorization List name: http_auth

170546: 48w1d: AAA/BIND(000003FC): Bind i/f

170547: 48w1d: AAA/AUTHEN/LOGIN (000003FC): Pick method list 'http_auth'

170548: 48w1d: AAA/AUTHOR (0x3FC): Pick method list 'http_auth'

170549: 48w1d: HTTP: Priv level authorization success priv_level: 15

170550: 48w1d: HTTP: Priv level granted 15

170551: 48w1d: AAA/BIND(000003FD): Bind i/f

170552: 48w1d: AAA: parse name=tty0 idb type=-1 tty=-1

170553: 48w1d: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0

170554: 48w1d: AAA/MEMORY: create_user (0x632D26C) user='granto-mark' ruser='Switch' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=1 initial_task_id='0', vrf= (id=0)

170555: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): Port='tty0' list='' service=CMD

170556: 48w1d: AAA/AUTHOR/CMD: tty0 (1941738464) user='granto-mark'

170557: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV service=shell

170558: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd=show

170559: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd-arg=version

170560: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd-arg=<cr>

170561: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): found list "default"

170562: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): Method=LOCAL

170563: 48w1d: AAA/AUTHOR (1941738464): Post authorization status = PASS_ADD

170564: 48w1d: AAA/MEMORY: free_user (0x632D26C) user='granto-mark' ruser='Switch' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=1

170565: 48w1d: HTTP AAA Login-Authentication List name: http_auth

170566: 48w1d: HTTP AAA Exec-Authorization List name: http_auth

170567: 48w1d: AAA/BIND(000003FE): Bind i/f

170568: 48w1d: AAA/AUTHEN/LOGIN (000003FE): Pick method list 'http_auth'

170569: 48w1d: AAA/AUTHOR (0x3FE): Pick method list 'http_auth'

170570: 48w1d: HTTP: Priv level authorization success priv_level: 15

170571: 48w1d: HTTP: Priv level granted 15

170572: 48w1d: AAA/BIND(000003FF): Bind i/f

170573: 48w1d: HTTP AAA Login-Authentication List name: http_auth

170574: 48w1d: HTTP AAA Exec-Authorization List name: http_auth

170575: 48w1d: AAA/BIND(00000400): Bind i/f

170576: 48w1d: AAA/AUTHEN/LOGIN (00000400): Pick method list 'http_auth'

170577: 48w1d: AAA/AUTHOR (0x400): Pick method list 'http_auth'

170578: 48w1d: HTTP: Priv level authorization success priv_level: 15

170579: 48w1d: HTTP: Priv level granted 15

170580: 48w1d: AAA/BIND(00000401): Bind i/f

Any help would be appriciated.

Thanks,

Robert

AAA and CNA?

robert_rhoads — Fri, 02 Sep 2011 14:55:29 GMT

Upgrading the 3750's to c3750-ipservicesk9-mz.122-55.SE3 fixed the problem. The configuration above is the one that is working. Now my problem is that everythign was working but I upgraded my 2960's to c2960-lanbasek9-mz.122-58.SE2 to keep them at the same version as me 3750's and the authentication is broken.

AAA and CNA?

ACOA-CISCO — Mon, 20 Feb 2012 16:05:55 GMT

Good day.

Have you made any progress? I currently have an issue similar to yours with the IOS upgrade. Please see the link below to my discussion.

Sincerely,

Marc

https://supportforums.cisco.com/message/3562335#3562335

topic AAA and CNA? in Network Access Control

AAA and CNA?

AAA and CNA?

AAA and CNA?