topic Re: AP1200 + ACS + Enable in Network Access Control

AP1200 + ACS + Enable

Taruka001 — Sun, 10 Mar 2019 20:57:59 GMT

My goal is to be able to telnet to the AP1200 by using my Windows account. To make this possible I have configured the AP to use the ACS server for authentication and configured the ACS to verify the username and the password from an external database.

When I telnet I can log on with my Windows credentials but have priv 1. It does not matter what I do on the ACS server to get priv 15, it stay's priv 1.

User Setup > Advanced TACACS+ Settings > Max Privilige for any device (Level 15)

Tacacs+ Enable Password Either "Use External password" or "User separate password".

When I try to change to enable mode I get % Error in Authentication.

There is besides the obvious setting mentioned above not much to find on this topic.

Anybody any idea on what to check and try out?

Re: AP1200 + ACS + Enable

will.shaw — Wed, 12 Jan 2005 08:49:10 GMT

In the TACACS+ Settings section, have you ticked the 'Shell(exec)' option?

If yes then it could be an issue with the aaa config on the AP. Can you provide details of the aaa config on the AP?

Re: AP1200 + ACS + Enable

Taruka001 — Wed, 12 Jan 2005 09:51:46 GMT

Thanks for the answer.

The user I am logging on with is part of a group. The group has the setting Shell (exec) ticked (TACACS+ Settings), and I tried to specify the Privilige Level 15 but with no result.

With debug ip http authentication turned on I get a lot of the following.

*Mar 2 13:15:04.019: setting privlevel to 1

*Mar 2 13:15:04.019: HTTP: Authentication for url '/' '/' level 1 privless '/'

*Mar 2 13:15:04.021: HTTP: authentication required, no authentication information was provided

*Mar 2 13:15:09.471: setting privlevel to 1

*Mar 2 13:15:09.471: HTTP: Authentication for url '/' '/' level 1 privless '/'

*Mar 2 13:15:09.471: HTTP: Authentication username = 'my-user-name' priv-level = 1 auth-type = aaa

*Mar 2 13:15:09.777: setting privlevel to 1

*Mar 2 13:15:09.777: HTTP: Authentication for url '/config.js' '/config.js' level 1 privless '/config.js'

*Mar 2 13:15:09.778: HTTP: Authentication username = 'my-user-name' priv-level = 1 auth-type = a

But it allows me to get in.

When I click on "Security" in the webinterface I am prompted with the logon box. When I enter my credentials I get the following information in the debug window

*Mar 2 13:19:14.552: setting privlevel to 15

*Mar 2 13:19:14.552: HTTP: Authentication for url '/ap_sec.htm' '/ap_sec.htm' level 15 privless '/ap_sec.htm'

*Mar 2 13:19:14.552: HTTP: Authentication username = 'my-user-name' priv-level = 15 auth-type = aaa

*Mar 2 13:19:14.596: HTTP: Authentication failed

Does this help?

Re: AP1200 + ACS + Enable

will.shaw — Wed, 12 Jan 2005 10:22:15 GMT

Is there any information on the ACS in the TACACS+ Administration or the Failed attempts section?

Re: AP1200 + ACS + Enable

Taruka001 — Wed, 12 Jan 2005 10:37:50 GMT

Sorry, no messages in the failed authentication attempts. Only messages in the passed authentication attempts.

Re: AP1200 + ACS + Enable

will.shaw — Wed, 12 Jan 2005 10:56:37 GMT

Doubt this is an issue with your ACS server. Can you provide the aaa config? Also what have you set the 'ip http authentication' line to?

Which software version are you running?

Re: AP1200 + ACS + Enable

Taruka001 — Wed, 12 Jan 2005 11:17:31 GMT

Personally I am also starting the suspect the AP.

AP software is 12.2(13)JA1

The config on the AP for AAA is pasted below.

aaa new-model

aaa group server radius rad_eap

aaa group server radius rad_mac

aaa group server radius rad_acct

aaa group server radius rad_admin

server IPA.IPB.IPC.IPD auth-port 1645 acct-port 1646

aaa group server tacacs+ tac_admin

aaa group server radius rad_pmip

aaa group server radius dummy

aaa authentication login default local group tac_admin group rad_admin

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local group tac_admin group rad_admin

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

radius-server host IPA.IPB.IPC.IPD auth-port 1645 acct-port 1646 key 7 ##################

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

Re: AP1200 + ACS + Enable

will.shaw — Wed, 12 Jan 2005 11:34:23 GMT

You don't appear to be using tacacs+, just radius. Radius won't give you anymore than level1 access

try

aaa group server tacacs+ tac_admin

server ipa.ipb.ipc.ipd

ip http authentication aaa

tacacs-server host ipa.ipb.ipc.ipd key 7 ############

you will also need to define the AP on the ACS as a tacacs+ device as well as a radius device, this is possible if use a different name for the device on the ACS.

Re: AP1200 + ACS + Enable

Taruka001 — Thu, 13 Jan 2005 11:15:19 GMT

Oke, this is my config on the AP now.

aaa group server tacacs+ tac_admin

server A.B.C.D

aaa group server radius rad_pmip

aaa group server radius dummy

aaa group server radius rad_admin

server A.B.C.D auth-port 1645 acct-port 1646

aaa authentication login default local group tac_admin group rad_admin

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local group tac_admin group rad_admin

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

tacacs-server host A.B.C.D key #########

tacacs-server directed-request

radius-server host A.B.C.D auth-port 1645 acct-port 1646 key 7 ############

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

On the ACS server I have added a device with the same IP address as the AP but with a different name. Selected Authenticate Using TACACS+ (Cisco IOS) and added the devive to the same group. Restarted the ACS services and tried again.

It allows me to log on with the HTTP interface but on level 1. No failed attempts in the login. When I click on Security and provide the username and password it is not accepted. Again no message in the failed attempts but I do get one in the Passed Authentication log.

13/01/2005 12:16:27 Authen OK USERNAME CISCO Access Points A.B.C.D. tty2 E.F.G.H

Any more ideas for me to try? I am getting desperate.

Re: AP1200 + ACS + Enable

will.shaw — Thu, 13 Jan 2005 12:36:02 GMT

In your cisco ACS, check in the Tacacs+ accounting and the radius Accounting to see which is being used for the authentication.

Make sure in your AP config you are using the

#ip http authentication aaa

My aaa configuration is setup as the following:

aaa new-model

aaa group server radius rad_eap

server #.#.#.# auth-port 1645 acct-port 1646

aaa group server tacacs+ tac_admin

server #.#.#.#

aaa authentication login default local group tac_admin group rad_admin

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local group tac_admin group rad_admin

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

tacacs-server host #.#.#.# key 7 #############

tacacs-server directed-request

radius-server attribute 32 include-in-access-req format %h

radius-server host #.#.#.# auth-port 1645 acct-port 1646 key #####

radius-server key 7 #####

radius-server vsa send accounting

ip http authentication aaa

Re: AP1200 + ACS + Enable

Taruka001 — Thu, 13 Jan 2005 13:52:35 GMT

Hi again,

The config is below. I did the commands you gave and it did not work. Nothing shows up in the RADIUS and TACACS accounting logs. No a single row.

aaa new-model

aaa group server radius rad_eap

server #.#.#.# auth-port 1645 acct-port 1646

aaa group server radius rad_mac

aaa group server radius rad_acct

aaa group server radius rad_admin

server #.#.#.# auth-port 1645 acct-port 1646

aaa group server tacacs+ tac_admin

server #.#.#.#

aaa group server radius rad_pmip

aaa group server radius dummy

aaa authentication login default local group tac_admin group rad_admin

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local group tac_admin group rad_admin

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

tacacs-server host #.#.#.# key SHARED-SECRET

tacacs-server directed-request

radius-server host #.#.#.# auth-port 1645 acct-port 1646 key 7 SHARED-SECRET

radius-server attribute 32 include-in-access-req format %h

radius-server key 7 shared_secret

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

13/01/2005 14:46:45 Authen OK MYNAME CISCO Access Points A.B.C.D tty6 E.F.G.H

13/01/2005 14:47:26 Authen OK MYNAME CISCO Access Points A.B.C.D tty2 E.F.G.H

After the first login attempt I added rad_admin line as well. Still nothing in the logs and no level 15 access for me...

Re: AP1200 + ACS + Enable

will.shaw — Thu, 13 Jan 2005 14:06:22 GMT

You might want to raise a TAC on this one, it will be difficult to diagnose the issue without being able to debug etc and see the acs config etc.

It should work ok from what you've told me, however it still looks like it's using Radius to authenticate.

It doesn't look like your using radius for user authentication, if this is the case then I would take all the radius config off and work from a blank config. Make sure you configure a local username with level 15 access before doing this.

Re: AP1200 + ACS + Enable

Taruka001 — Thu, 13 Jan 2005 14:48:07 GMT

Thanks for your help... This morning a router 1600 was made redundant so I have 'stolen' it to work with this one.

According to all information everyhting is OK but for some reason it does not work.

I'll see what comes out of the TAC case.

Thanks again for the help

Re: AP1200 + ACS + Enable

simonstoll — Fri, 14 Jan 2005 15:29:28 GMT

If I understand you correct, you want to telnet on the device and logging in directly to the enable mode. That's the only thing you can do with Radius, there is no way to login first to user mode, then to go to enable mode with radius authentication. To do so, you have to send the following line as a Vendor Specific Attribute.

priv-level = 15

(I'm not 100% sure about the syntax, as I'm not the my office to check it out correctly)

you should find information about this in the AP Documentation.

Hope that helps you on your problem.

Simon

Re: AP1200 + ACS + Enable

dopenfield — Thu, 10 Feb 2005 17:26:30 GMT

Curious if you got any resolution from TAC, I'm seeing the same thing here.

The logs on the ACS server do show a passed authentication but authorization fail and the message on the telnet session says authentication unsuccessful. I can even remove the authorization line from the AAA config on the AP.

Also when I do a Show AAA Servers on the Radius server shows up not TACACS. I can do a show TACACS and show that the correct IP address is configured but all of the entries are 0.