https://community.cisco.com/t5/network-access-control/http-authentication/m-p/1752310#M292338 <HTML><HEAD></HEAD><BODY><P>Yes, my radius server is set to return the privilege level 15 using vendor specific and the value shell:priv-lvl=15.&nbsp; I do not have any issues with this setup, and gaining telnet access to our routers.&nbsp; HTTP access is working, but only grants level 1.&nbsp; </P></BODY></HTML> Mon, 29 Aug 2011 21:10:33 GMT rmessina 2011-08-29T21:10:33Z https://community.cisco.com/t5/network-access-control/http-authentication/m-p/1752308#M292297 <P>Accessing the access point via telnet radius authentication works with no problems.&nbsp; When I access via secure http I can authenticate, but I get level 1 or read access only.&nbsp; Can someone assist.&nbsp; Below is the config for the device.&nbsp; </P><P></P><P>no service pad</P><P>service tcp-keepalives-in</P><P>service timestamps debug datetime msec localtime show-timezone</P><P>service timestamps log datetime msec localtime show-timezone</P><P>service password-encryption</P><P>service sequence-numbers</P><P>!</P><P>hostname xxxx</P><P>!</P><P>logging buffered 16000 debugging</P><P>no logging console</P><P>no logging monitor</P><P>enable secret xxxxx</P><P>!</P><P>aaa new-model</P><P>!</P><P>!</P><P>aaa authentication login default group radius local</P><P>aaa authentication enable default enable</P><P>aaa authorization exec default group radius if-authenticated</P><P>!</P><P>aaa session-id common</P><P>clock timezone CST -6</P><P>clock summer-time CDT recurring</P><P>no ip source-route</P><P>no ip gratuitous-arps</P><P>ip tcp synwait-time 10</P><P>ip domain name xxxxx</P><P>ip name-server 10.5.10.20</P><P>ip name-server 10.5.10.19</P><P>!</P><P>!</P><P>!</P><P>dot11 ssid 150Wireless</P><P>&nbsp;&nbsp; vlan 102</P><P>&nbsp;&nbsp; authentication open</P><P>&nbsp;&nbsp; authentication key-management wpa version 2</P><P>&nbsp;&nbsp; wpa-psk ascii xxxxx</P><P>!</P><P>power inline negotiation prestandard source</P><P>!</P><P>crypto pki trustpoint TP-self-signed</P><P>!</P><P>!</P><P>crypto pki certificate chain TP-self-signed</P><P></P><P>username xxxx privilege 15 secret xxxxx</P><P>!</P><P>bridge irb</P><P>!</P><P>!</P><P>interface Dot11Radio0</P><P> no ip address</P><P> no ip route-cache</P><P> !</P><P> encryption vlan 102 mode ciphers aes-ccm</P><P> !</P><P> ssid xxxx</P><P> !</P><P> station-role root</P><P>!</P><P>interface Dot11Radio0.102</P><P> encapsulation dot1Q 102 native</P><P> no ip route-cache</P><P> bridge-group 1</P><P> bridge-group 1 subscriber-loop-control</P><P> bridge-group 1 block-unknown-source</P><P> no bridge-group 1 source-learning</P><P> no bridge-group 1 unicast-flooding</P><P> bridge-group 1 spanning-disabled</P><P>!</P><P>interface Dot11Radio1</P><P> no ip address</P><P> no ip route-cache</P><P> !</P><P> encryption vlan 102 mode ciphers aes-ccm</P><P> !</P><P> ssid xxxx</P><P> !</P><P> dfs band 3 block</P><P> channel dfs</P><P> station-role root</P><P>!</P><P>interface Dot11Radio1.102</P><P> encapsulation dot1Q 102 native</P><P> no ip route-cache</P><P> bridge-group 1</P><P> bridge-group 1 subscriber-loop-control</P><P> bridge-group 1 block-unknown-source</P><P> no bridge-group 1 source-learning</P><P> no bridge-group 1 unicast-flooding</P><P> bridge-group 1 spanning-disabled</P><P>!</P><P>interface FastEthernet0</P><P> no ip address</P><P> no ip route-cache</P><P> duplex auto</P><P> speed auto</P><P>!</P><P>interface FastEthernet0.102</P><P> encapsulation dot1Q 102 native</P><P> no ip route-cache</P><P> bridge-group 1</P><P> no bridge-group 1 source-learning</P><P> bridge-group 1 spanning-disabled</P><P>!</P><P>interface BVI1</P><P> ip address 10.5.102.6 255.255.255.0</P><P> no ip route-cache</P><P>!</P><P>ip default-gateway 10.5.102.1</P><P>no ip http server</P><P>ip http authentication aaa</P><P>ip http secure-server</P><P><SPAN>ip http help-path </SPAN><A class="jive-link-external-small" href="http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag" target="_blank">http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag</A></P><P>ip radius source-interface BVI1</P><P>logging trap debugging</P><P>logging 10.20.1.5</P><P>access-list 1 remark VTY Access</P><P>access-list 1 permit 10.20.0.0 0.0.3.255</P><P>access-list 1 permit 10.20.4.0 0.0.0.255</P><P>access-list 1 permit 10.20.100.0 0.0.0.255</P><P>access-list 1 permit 10.20.128.0 0.0.3.255</P><P>access-list 2 remark SNMP to NOC</P><P>access-list 2 permit 10.20.1.5</P><P>access-list 2 deny&nbsp;&nbsp; any log</P><P>snmp-server community xxxxx RO 2</P><P>snmp-server community xxxxx RW 2</P><P>snmp-server enable traps tty</P><P>radius-server host xx auth-port 1645 acct-port 1646</P><P>radius-server host xx auth-port 1645 acct-port 1646</P><P>radius-server key xxxxxx</P><P>bridge 1 route ip</P><P>!</P><P>!</P><P>!</P><P>line con 0</P><P> exec-timeout 5 0</P><P> logging synchronous</P><P> transport output all</P><P>line vty 0 4</P><P> access-class 1 in</P><P> exec-timeout 9 0</P><P> transport input telnet</P><P> transport output all</P><P>line vty 5 15</P><P> access-class 1 in</P><P> exec-timeout 9 0</P><P> transport input telnet</P><P> transport output all</P><P>!</P><P>scheduler interval 500</P><P>sntp server 10.20.0.1</P><P>sntp broadcast client</P><P>end</P> Mon, 11 Mar 2019 01:19:29 GMT https://community.cisco.com/t5/network-access-control/http-authentication/m-p/1752308#M292297 rmessina 2019-03-11T01:19:29Z https://community.cisco.com/t5/network-access-control/http-authentication/m-p/1752309#M292320 <HTML><HEAD></HEAD><BODY><P>Hi Randy,</P><P></P><P>does your RADIUS server return the privilege level 15 as part of the authorization info? ([009\001] cisco-av-pair : "shell:priv-lvl=15")</P><P>You will need for this in order to authorize access to the GUI,&nbsp; as the commands used to compile the web page output require high&nbsp; privilege.</P><P></P><P>I hope this helps.</P><P></P><P>Regards,</P><P>Federico</P></BODY></HTML> Mon, 29 Aug 2011 10:37:06 GMT https://community.cisco.com/t5/network-access-control/http-authentication/m-p/1752309#M292320 Federico Lovison 2011-08-29T10:37:06Z https://community.cisco.com/t5/network-access-control/http-authentication/m-p/1752310#M292338 <HTML><HEAD></HEAD><BODY><P>Yes, my radius server is set to return the privilege level 15 using vendor specific and the value shell:priv-lvl=15.&nbsp; I do not have any issues with this setup, and gaining telnet access to our routers.&nbsp; HTTP access is working, but only grants level 1.&nbsp; </P></BODY></HTML> Mon, 29 Aug 2011 21:10:33 GMT https://community.cisco.com/t5/network-access-control/http-authentication/m-p/1752310#M292338 rmessina 2011-08-29T21:10:33Z https://community.cisco.com/t5/network-access-control/http-authentication/m-p/1752311#M292364 <HTML><HEAD></HEAD><BODY><P>Have you tried:</P><P></P><P>ip http secure-server aaa</P><P></P><P>Cheers,</P><P></P><P>Fabio</P></BODY></HTML> Tue, 30 Aug 2011 04:47:44 GMT https://community.cisco.com/t5/network-access-control/http-authentication/m-p/1752311#M292364 Fabio Francisco 2011-08-30T04:47:44Z https://community.cisco.com/t5/network-access-control/http-authentication/m-p/1752312#M292389 <HTML><HEAD></HEAD><BODY><P>That is not a valid command in my IOS version.&nbsp; </P></BODY></HTML> Tue, 30 Aug 2011 13:06:33 GMT https://community.cisco.com/t5/network-access-control/http-authentication/m-p/1752312#M292389 rmessina 2011-08-30T13:06:33Z https://community.cisco.com/t5/network-access-control/http-authentication/m-p/1752313#M292407 <HTML><HEAD></HEAD><BODY><P>Add to your configuration:</P><P></P><P>aaa authorization exec web group radius local</P><P></P><P>ip http authentication aaa exec-authorization web</P><P></P><P>See if that helps.</P></BODY></HTML> Wed, 31 Aug 2011 14:08:42 GMT https://community.cisco.com/t5/network-access-control/http-authentication/m-p/1752313#M292407 Javier Henderson 2011-08-31T14:08:42Z