topic Configure HTTP Login Authentication use Radius/Ace Server SecurID Tokens in Network Access Control

Configure HTTP Login Authentication use Radius/Ace Server SecurID Tokens

DWAM_2 — Sun, 10 Mar 2019 14:25:05 GMT

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

Hello,

I want to configure an http login authentication on 2950 or router using Radius and ACE Server SecurID Tokens with OTP (One Time Password).

2950 Configuration :

router#sh run

version 12.1

hostname router

aaa new-model

aaa authentication login default group radius

aaa authentication login vtymethod_radius group radius

aaa authorization exec default group radius

aaa authorization exec vtymethod_radius group radius

enable password xxxxxxxxx

interface Vlan1

ip address 10.2.2.129 255.255.0.0

ip http server

ip http authentication aaa

radius-server host 172.18.1.26 auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key xxxxxxxxxx

line con 0

stopbits 1

line vty 0

exec-timeout 0 0

privilege level 15

password xxxxxxxxxxx

line vty 1 4

exec-timeout 0 0

privilege level 15

password xxxxxxxxxx

authorization exec vtymethod_radius

line vty 5 15

end

router#

My ACE and radius Server has IP : 172.18.1.25.

When I use static password configured on my ACE, there is no problem to connect with http.

I launch my browser : http://10.2.2.129.

It asked me the login and password : I use static password : xxxxxxxxxxxx - 1234

I arrive at :

Cisco Systems

Accessing Cisco WS-routerC-24 "router"

I click on Web Console - Manage the Switch through the web interface.

It asked again the password : xxxxxxxxxxxx - 1234

And that's OK.

Follow the trace when it's works (You can remark that between 2950 et Radius/ACE Server there is

for all download objects a change of the static password)

router#

Jul 23 12:34:44.991: AAA/MEMORY: create_user (0x80CCE1EC) user='' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII service=LOGIN priv=0

Jul 23 12:34:44.991: AAA/AUTHEN/START (2836047894): port='tty5' list='vtymethod_radius' action=LOGIN service=LOGIN

Jul 23 12:34:44.995: AAA/AUTHEN/START (2836047894): found list vtymethod_radius

Jul 23 12:34:44.995: AAA/AUTHEN/START (2836047894): Method=radius (radius)

Jul 23 12:34:44.995: AAA/AUTHEN (2836047894): status = GETUSER

Jul 23 12:34:44.995: AAA/AUTHEN/CONT (2836047894): continue_login (user='(undef)')

Jul 23 12:34:44.995: AAA/AUTHEN (2836047894): status = GETUSER

Jul 23 12:34:44.995: AAA/AUTHEN (2836047894): Method=radius (radius)

Jul 23 12:34:44.995: AAA/AUTHEN (2836047894): status = GETPASS

Jul 23 12:34:44.999: AAA/AUTHEN/CONT (2836047894): continue_login (user='xxxxxxxxxxxx')

Jul 23 12:34:44.999: AAA/AUTHEN (2836047894): status = GETPASS

Jul 23 12:34:44.999: AAA/AUTHEN (2836047894): Method=radius (radius)

Jul 23 12:34:44.999: RADIUS: ustruct sharecount=1

Jul 23 12:34:45.003: RADIUS: Initial Transmit tty5 id 179 172.18.1.26:1645, Access-Request, len 74

Jul 23 12:34:45.003: Attribute 4 6 0A020281

Jul 23 12:34:45.003: Attribute 5 6 00000005

Jul 23 12:34:45.003: Attribute 61 6 00000005

Jul 23 12:34:45.003: Attribute 1 5 6477611F

Jul 23 12:34:45.003: Attribute 31 13 3137322E

Jul 23 12:34:45.003: Attribute 2 18 39852A89

Jul 23 12:34:47.107: RADIUS: Received from id 179 172.18.1.26:1645, Access-Accept, len 52

Jul 23 12:34:47.107: Attribute 18 21 50415353

Jul 23 12:34:47.107: Attribute 6 6 00000006

Jul 23 12:34:47.107: Attribute 1 5 64776164

Jul 23 12:34:47.107: RADIUS: saved authorization data for user 80CCE1EC at 80CCE358

Jul 23 12:34:47.111: AAA/AUTHEN (2836047894): status = PASS

Jul 23 12:34:47.111: tty5 AAA/AUTHOR/HTTP (2755968236): Port='tty5' list='vtymethod_radius' service=EXEC

Jul 23 12:34:47.111: AAA/AUTHOR/HTTP: tty5 (2755968236) user='xxxxxxxxxxxx'

Jul 23 12:34:47.111: tty5 AAA/AUTHOR/HTTP (2755968236): send AV service=shell

Jul 23 12:34:47.111: tty5 AAA/AUTHOR/HTTP (2755968236): send AV cmd*

Jul 23 12:34:47.111: tty5 AAA/AUTHOR/HTTP (2755968236): found list "vtymethod_radius"

Jul 23 12:34:47.111: tty5 AAA/AUTHOR/HTTP (2755968236): Method=radius (radius)

Jul 23 12:34:47.115: AAA/AUTHOR (2755968236): Post authorization status = PASS_ADD

Jul 23 12:34:47.115: HTTP: received GET ''

Jul 23 12:34:47.159: AAA/MEMORY: free_user (0x80CCE1EC) user='xxxxxxxxxxxx' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII service=LOGIN priv=0

Jul 23 12:34:48.915: HTTP: parsed uri '/homepage.htm'

Jul 23 12:34:48.915: HTTP: client version 1.0

Jul 23 12:34:48.915: HTTP: parsed extension Accept

Jul 23 12:34:48.915: HTTP: parsed extension Referer

Jul 23 12:34:48.915: HTTP: parsed extension Accept-Language

Jul 23 12:34:48.915: HTTP: parsed extension User-Agent

Jul 23 12:34:48.919: HTTP: parsed extension Authorization

Jul 23 12:34:48.919: HTTP: parsed authorization type Basic

Jul 23 12:34:48.919: HTTP: parsed extension Via

Jul 23 12:34:48.919: HTTP: parsed extension X-Forwarded-For

Jul 23 12:34:48.919: HTTP: parsed extension Host

Jul 23 12:34:48.919: HTTP: parsed extension Cache-Control

Jul 23 12:34:48.919: HTTP: parsed extension Connection

Jul 23 12:34:48.923: HTTP: Authentication for url '/homepage.htm' '/homepage.htm' level 15 privless '/homepage.htm'

Jul 23 12:34:48.923: HTTP: Authentication username = 'xxxxxxxxxxxx' priv-level = 15 auth-type = aaa

Jul 23 12:34:48.923: AAA: parse name=tty5 idb type=-1 tty=-1

Jul 23 12:34:48.923: AAA: name=tty5 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=5 channel=0

Jul 23 12:34:48.923: AAA/MEMORY: create_user (0x80D514A8) user='' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII service=LOGIN priv=0

Jul 23 12:34:48.923: AAA/AUTHEN/START (3860340525): port='tty5' list='vtymethod_radius' action=LOGIN service=LOGIN

Jul 23 12:34:48.927: AAA/AUTHEN/START (3860340525): found list vtymethod_radius

Jul 23 12:34:48.927: AAA/AUTHEN/START (3860340525): Method=radius (radius)

Jul 23 12:34:48.927: AAA/AUTHEN (3860340525): status = GETUSER

Jul 23 12:34:48.927: AAA/AUTHEN/CONT (3860340525): continue_login (user='(undef)')

Jul 23 12:34:48.927: AAA/AUTHEN (3860340525): status = GETUSER

Jul 23 12:34:48.927: AAA/AUTHEN (3860340525): Method=radius (radius)

Jul 23 12:34:48.927: AAA/AUTHEN (3860340525): status = GETPASS

Jul 23 12:34:48.931: AAA/AUTHEN/CONT (3860340525): continue_login (user='xxxxxxxxxxxx')

Jul 23 12:34:48.931: AAA/AUTHEN (3860340525): status = GETPASS

Jul 23 12:34:48.931: AAA/AUTHEN (3860340525): Method=radius (radius)

Jul 23 12:34:48.931: RADIUS: ustruct sharecount=1

Jul 23 12:34:48.935: RADIUS: Initial Transmit tty5 id 180 172.18.1.26:1645, Access-Request, len 74

Jul 23 12:34:48.935: Attribute 4 6 0A020281

Jul 23 12:34:48.935: Attribute 5 6 00000005

Jul 23 12:34:48.935: Attribute 61 6 00000005

Jul 23 12:34:48.935: Attribute 1 5 6477611F

Jul 23 12:34:48.935: Attribute 31 13 3137322E

Jul 23 12:34:48.935: Attribute 2 18 9C378E51

Jul 23 12:34:51.047: RADIUS: Received from id 180 172.18.1.26:1645, Access-Accept, len 52

Jul 23 12:34:51.047: Attribute 18 21 50415353

Jul 23 12:34:51.047: Attribute 6 6 00000006

Jul 23 12:34:51.047: Attribute 1 5 64776164

Jul 23 12:34:51.051: RADIUS: saved authorization data for user 80D514A8 at 80D51DE0

Jul 23 12:34:51.051: AAA/AUTHEN (3860340525): status = PASS

,etc ...

When I use OTP configured on my ACE, there is problem to connect with http.

I launch my browser : http://10.2.2.129.

It asked me the login and password : I use first OTP : bab - 8038249352

I arrive at

Cisco Systems

Accessing Cisco WS-routerC-24 "router"

I click on Web Console - Manage the Switch through the web interface.

It asked me again the password : bab - 8038948533

I download one java object and it's asked me again OTP for the follow objects.

I insert again the next OTP and so...

After many OTP,I have got an http error on my browser (Java.lang.IndexOutOfBoundsException : Index 0 , Size 0) with version 1.4.0 java.

Follow the trace when it doesn't works :

Re: Configure HTTP Login Authentication use Radius/Ace Server Se

DWAM_2 — Wed, 23 Jul 2003 09:21:29 GMT

C2950#

Jul 23 12:02:32.823: HTTP: parsed uri '/homepage.htm'

Jul 23 12:02:32.823: HTTP: client version 1.0

Jul 23 12:02:32.823: HTTP: parsed extension Accept

Jul 23 12:02:32.827: HTTP: parsed extension Referer

Jul 23 12:02:32.827: HTTP: parsed extension Accept-Language

Jul 23 12:02:32.827: HTTP: parsed extension User-Agent

Jul 23 12:02:32.827: HTTP: parsed extension Authorization

Jul 23 12:02:32.827: HTTP: parsed authorization type Basic

Jul 23 12:02:32.827: HTTP: parsed extension Via

Jul 23 12:02:32.827: HTTP: parsed extension X-Forwarded-For

Jul 23 12:02:32.831: HTTP: parsed extension Host

Jul 23 12:02:32.831: HTTP: parsed extension Cache-Control

Jul 23 12:02:32.831: HTTP: parsed extension Connection

Jul 23 12:02:32.831: HTTP: Authentication for url '/homepage.htm' '/homepage.htm' level 15 privless '/homepage.htm'

Jul 23 12:02:32.831: HTTP: Authentication username = 'bab' priv-level = 15 auth-type = aaa

Jul 23 12:02:32.831: AAA: parse name=tty5 idb type=-1 tty=-1

Jul 23 12:02:32.831: AAA: name=tty5 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=5 channel=0

Jul 23 12:02:32.835: AAA/MEMORY: create_user (0x80E0C820) user='' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII serv

ice=LOGIN priv=0

Jul 23 12:02:32.835: AAA/AUTHEN/START (240300930): port='tty5' list='vtymethod_radius' action=LOGIN service=LOGIN

Jul 23 12:02:32.835: AAA/AUTHEN/START (240300930): found list vtymethod_radius

Jul 23 12:02:32.835: AAA/AUTHEN/START (240300930): Method=radius (radius)

Jul 23 12:02:32.835: AAA/AUTHEN (240300930): status = GETUSER

Jul 23 12:02:32.835: AAA/AUTHEN/CONT (240300930): continue_login (user='(undef)')

Jul 23 12:02:32.835: AAA/AUTHEN (240300930): status = GETUSER

Jul 23 12:02:32.839: AAA/AUTHEN (240300930): Method=radius (radius)

Jul 23 12:02:32.839: AAA/AUTHEN (240300930): status = GETPASS

Jul 23 12:02:32.839: AAA/AUTHEN/CONT (240300930): continue_login (user='bab')

Jul 23 12:02:32.839: AAA/AUTHEN (240300930): status = GETPASS

Jul 23 12:02:32.839: AAA/AUTHEN (240300930): Method=radius (radius)

Jul 23 12:02:32.839: RADIUS: ustruct sharecount=1

Jul 23 12:02:32.843: RADIUS: Initial Transmit tty5 id 157 172.18.1.26:1645, Access-Request, len 74

Jul 23 12:02:32.847: Attribute 4 6 0A020281

Jul 23 12:02:32.847: Attribute 5 6 00000005

Jul 23 12:02:32.847: Attribute 61 6 00000005

Jul 23 12:02:32.847: Attribute 1 5 6261621F

Jul 23 12:02:32.847: Attribute 31 13 3137322E

Jul 23 12:02:32.847: Attribute 2 18 C385E406

Jul 23 12:02:35.875: RADIUS: Received from id 157 172.18.1.26:1645, Access-Reject, len 37

Jul 23 12:02:35.875: Attribute 18 17 41636365

Jul 23 12:02:35.879: RADIUS: saved authorization data for user 80E0C820 at 0

Jul 23 12:02:35.879: AAA/AUTHEN (240300930): status = FAIL

Jul 23 12:02:35.879: HTTP: Authentication failed

Jul 23 12:02:35.883: HTTP: authorization rejected

Jul 23 12:02:35.883: AAA/MEMORY: free_user (0x80E0C820) user='bab' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII ser

vice=LOGIN priv=0

Jul 23 12:02:54.684: HTTP: parsed uri '/homepage.htm'

Jul 23 12:02:54.684: HTTP: client version 1.0

Jul 23 12:02:54.684: HTTP: parsed extension Accept

Jul 23 12:02:54.684: HTTP: parsed extension Referer

Jul 23 12:02:54.684: HTTP: parsed extension Accept-Language

Jul 23 12:02:54.684: HTTP: parsed extension User-Agent

Jul 23 12:02:54.684: HTTP: parsed extension Authorization

Jul 23 12:02:54.684: HTTP: parsed authorization type Basic

Jul 23 12:02:54.688: HTTP: parsed extension Via

Jul 23 12:02:54.688: HTTP: parsed extension X-Forwarded-For

Jul 23 12:02:54.688: HTTP: parsed extension Host

Jul 23 12:02:54.688: HTTP: parsed extension Cache-Control

Jul 23 12:02:54.688: HTTP: parsed extension Connection

Jul 23 12:02:54.688: HTTP: Authentication for url '/homepage.htm' '/homepage.htm' level 15 privless '/homepage.htm'

Jul 23 12:02:54.688: HTTP: Authentication username = 'bab' priv-level = 15 auth-type = aaa

Jul 23 12:02:54.692: AAA: parse name=tty5 idb type=-1 tty=-1

Jul 23 12:02:54.692: AAA: name=tty5 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=5 channel=0

Jul 23 12:02:54.692: AAA/MEMORY: create_user (0x80E0CA64) user='' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII serv

ice=LOGIN priv=0

Jul 23 12:02:54.692: AAA/AUTHEN/START (3621916037): port='tty5' list='vtymethod_radius' action=LOGIN service=LOGIN

Jul 23 12:02:54.692: AAA/AUTHEN/START (3621916037): found list vtymethod_radius

Jul 23 12:02:54.692: AAA/AUTHEN/START (3621916037): Method=radius (radius)

Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): status = GETUSER

Jul 23 12:02:54.696: AAA/AUTHEN/CONT (3621916037): continue_login (user='(undef)')

Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): status = GETUSER

Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): Method=radius (radius)

Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): status = GETPASS

Jul 23 12:02:54.696: AAA/AUTHEN/CONT (3621916037): continue_login (user='bab')

Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): status = GETPASS

Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): Method=radius (radius)

Jul 23 12:02:54.700: RADIUS: ustruct sharecount=1

Jul 23 12:02:54.700: RADIUS: Initial Transmit tty5 id 158 172.18.1.26:1645, Access-Request, len 74

Jul 23 12:02:54.704: Attribute 4 6 0A020281

Jul 23 12:02:54.704: Attribute 5 6 00000005

Jul 23 12:02:54.704: Attribute 61 6 00000005

Jul 23 12:02:54.704: Attribute 1 5 6261621F

Jul 23 12:02:54.704: Attribute 31 13 3137322E

Jul 23 12:02:54.704: Attribute 2 18 3246801A

Jul 23 12:02:57.840: RADIUS: Received from id 158 172.18.1.26:1645, Access-Accept, len 52

Jul 23 12:02:57.840: Attribute 18 21 50415353

Jul 23 12:02:57.840: Attribute 6 6 00000006

Jul 23 12:02:57.840: Attribute 1 5 62616264

Jul 23 12:02:57.844: RADIUS: saved authorization data for user 80E0CA64 at 80D52EAC

Jul 23 12:02:57.844: AAA/AUTHEN (3621916037): status = PASS

FAIL FAIL PASS FAIL FAIL PASS...

Remarques :

-> when I use hyperterminal (vty) , it's work very good in both cases (OTP and Static Password)

-> I have try with different types of running jave (1.3.1 - 1.4.0 same results).

-> I have try on many PCs (172.17.6.20 - 172.18.1.116) -> no more good results.

So my questions are :

-> Is it possible to configure Login Authentication HTTP with Radius / Ace SecurID Token OTP ?

-> If yes, why it doens't work ?

Thank You..

Re: Configure HTTP Login Authentication use Radius/Ace Server Se

mhoda — Thu, 24 Jul 2003 21:15:31 GMT

Hello,

Unfortunatlely, web login whether its with the switch/router or PIX on PDM, one time password doesn't work due to multiple authentication requests, sorry!

Mynul

Re: Configure HTTP Login Authentication use Radius/Ace Server Se

DWAM_2 — Mon, 28 Jul 2003 08:57:58 GMT

Thank You for your answer.