topic Re: IOS Configuration for HTTP(S) AAA (SDM) in Network Access Control

IOS Configuration for HTTP(S) AAA (SDM)

Justin Shore — Sun, 10 Mar 2019 22:37:10 GMT

I'm having trouble getting the internal HTTPS server to use AAA for authentication. I have a working AAA setup for VTY access using TACACS+ but I can't seem to get HTTPS to work.

aaa new-model

aaa authentication login console none

aaa authentication login netauth group tacacs+ local

aaa authorization exec default none

aaa accounting delay-start

aaa accounting exec netacc start-stop group tacacs+

aaa accounting commands 15 netacc stop-only group tacacs+

aaa accounting connection netacc start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

no ip http server

ip http access-class 99

ip http authentication aaa login-authentication netauth

ip http secure-server

The only "aaa authorization" line was added during troubleshooting. I don't use authorization.

TACACS is working fine and ACL 99 permits my source IP. A debug of ip http auth gives me this after entering my credentials:

095897: Jan 25 10:35:18.262 CST: HTTP AAA Login-Authentication List name: netauth

095898: Jan 25 10:35:18.262 CST: HTTP AAA picking up Exec-Authorization List name: default

095899: Jan 25 10:35:18.302 CST: HTTP: Authentication failed for level 15

I tried both a valid userid/passwd configured on the TACACS server as well as a local userid/passwd on the router (I use 'local' as a backup to TACACS). The TACACS server logs show a successful auth attempt. The router in question is running 12.4(15)T2 but I've run into this problem on numerous 12.4 and 12.3 releases for years.

I've run into this dozens of times in as many networks. I've never found a solution other than to use local auth and forget AAA. What am I missing?

Thanks

Justin

Re: IOS Configuration for HTTP(S) AAA (SDM)

Jagdeep Gambhir — Fri, 25 Jan 2008 18:53:30 GMT

For Http access you need to have priv 15 defined for that user. And add authorization command

aaa authorization exec defult tacacs if-authenticated

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Regards,

~JG

Do rate helpful posts

Re: IOS Configuration for HTTP(S) AAA (SDM)

Justin Shore — Fri, 25 Jan 2008 19:43:38 GMT

JG,

Thanks for the reply. We don't use ACS here. We use an open-source TACACS+ server. So besides authentication the IOS HTTPS server requires authorization as well?

Thanks

Justin

Re: IOS Configuration for HTTP(S) AAA (SDM)

Jagdeep Gambhir — Fri, 25 Jan 2008 20:36:22 GMT

Yes, need authorization also. Priv lvl falls under authorization head.

Regards,

~JG

Re: IOS Configuration for HTTP(S) AAA (SDM)

jeff-nelson — Thu, 24 Apr 2008 13:24:58 GMT

I had the exact same problem with HTTP login when trying to use the Cisco SDM v2.5 installation. The AAA and IP HTTP server information at this link was very helpful:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml

In my environment, by adding the following I was able to get the SDM to login using AAA an d TACACS:

aaa authorization exec default group tacacs+ local

ip http authentication aaa login-authentication default

-- Jeff