cisco swith webui login with 802.1x account
hello everyone, I enabled the 802.1x login function in the switch3650, and it is sucessful on the ssh login, but the webui login is failed.
The log is:
WEBSERVER-5-LOGIN_FAILED: Switch 1 R0/0: nginx: Login Un-Successful frorm host xx.xx.xx.xx using crypto cipher 'ECDHE-RSA-AES128-GCM-SHA256
show ip http server is:
ip http server
ip http authentication aaa
ip http secure-server
Thanks for your feedback!
- 标签:
-
交换机
提前说明一下,使用aaa认证并非802.1x,802.1x是基于端口给客户端做访问控制的协议。我猜你应该是想使用外部的身份源来做登录认证吧
先给你提供一下我所做的部分配置。
---同样也是cat3650,版本:16.6.8---
demo-sw#sh run aaa ##输出内容基于配置顺序做了一下调整
!
aaa new-model
!
radius server ise1
address ipv4 10.0.3.251 auth-port 1645 acct-port 1646
key 7 14141B180F0B7B7977
!
aaa group server radius ISE_Group
server name ise1
!
aaa authentication login default group ISE_Group
aaa authentication login WEB group ISE_Group local
aaa authentication login VTY line
aaa authorization exec default group ISE_Group
aaa authorization exec WEB group ISE_Group
!
demo-sw#
demo-sw#sh run | in http
ip http server
ip http authentication aaa
ip http secure-server
ip http secure-trustpoint localtrust
demo-sw#
测试结果跟你的基本一致,在ise上可以看到authentication的结果是success,但交换机一侧一直是un-success。
我尝试使用下面命令指定auth list,但也不起作用
ip http authentication aaa login-authentication WEB
ip http authentication aaa exec-authorization WEB
!
同样的配置我在cat9200(版本17.15.03)上测试是可以成功登录的,只是默认权限应该是level1.
个人感觉像是版本的bug,不过目前没找到相关的bug id
!
基于这个问题,目前有两个解决方向:
1. 升级设备,cat3650支持的最后一个版本应该是16.12.x,但目前我没测试高版本是否也存在同样的问题,另外升级需要重启设备,存在一定风险
2. 改为" ip http authentication local" 使用username xxx secret xxx privi xx 创建本地账号用户登录
目前就只能帮到你这些。
====
Note: AAA authentication is not the same as 802.1X. 802.1X is a port-based access control protocol.
I assume you want to use an external identity source for login authentication.
Below is part of my configuration for your reference:
--- Catalyst 3650, running IOS-XE version 16.6.8 ---
demo-sw# show run aaa ## Output has been reordered slightly for clarity based on configuration sequence
!
aaa new-model
!
radius server ise1
address ipv4 10.0.3.251 auth-port 1645 acct-port 1646
key 7 14141B180F0B7B7977
!
aaa group server radius ISE_Group
server name ise1
!
aaa authentication login default group ISE_Group
aaa authentication login WEB group ISE_Group local
aaa authentication login VTY line
aaa authorization exec default group ISE_Group
aaa authorization exec WEB group ISE_Group
!
demo-sw# show run | include http
ip http server
ip http authentication aaa
ip http secure-server
ip http secure-trustpoint localtrust
demo-sw#
However, on the switch side, the Web UI login still fails, even though ISE shows authentication success.
I also tried explicitly specifying the authentication method list with the following commands, but it didn’t help:
ip http authentication aaa login-authentication WEB
ip http authentication aaa exec-authorization WEB
Interestingly, the exact same configuration works perfectly on a Catalyst 9200 running IOS-XE version 17.15.03—users can log in successfully via the web interface (though the default privilege level appears to be level 1).
This leads me to suspect it might be a software bug specific to the 16.6.8 release (or the 16.x train in general), although I haven’t found a relevant Cisco Bug ID to confirm this yet.
Finally,there are currently two potential workarounds:
1. Upgrade the device software: The last supported version for the Catalyst 3650 is 16.12.x. However, I haven’t tested whether this issue persists in higher 16.x releases. Note that upgrading requires a reboot and carries operational risk.
Switch to local HTTP authentication:
2. Use ip http authentication local and create local user accounts with appropriate privileges, e.g.:
username admin secret MyPassword privilege 15
That’s all I can offer for now.I hope it helps!
yes, maybe you are right, my description is not very clear, the issue is that I want to use AD account to login webui of swich3650, some configurion is already wrote to switch, and the NPS serice is running successfuly, the ip ssh authentication with AD account is effective.Only the webui authentication wih AD account is failed.
再补充一些测试信息,在radius认证的模式下
我同时做了以下调试:
'debug ip http all'
'debug aaa authentication'
'debug aaa authorization'
在配置外部认证之后,aaa的报文显示需要AUTHOR-TYPE= 'commands'的设置,但是只有tacacs+支持commands授权,所以WEB登录使用radius认证基本没戏(AD/NPS/ISE...)
17.x可能这个功能又做了调整,所以之前使用cat9200测试的时候是可以正常登录的。
下面是我debug收集的部分信息:
=====
Dec 26 2025 10:06:15.059 CST: send ecrypt response msg: 0xAACB12E718, params 0xAACB12E508, ipc_channel 163
Dec 26 2025 10:06:15.059 CST: Length of marshalled msg 311
Dec 26 2025 10:06:15.060 CST: Encrypt response message send succeeded
Dec 26 2025 10:06:15.554 CST: AAA/BIND(00008CD5): Bind i/f
Dec 26 2025 10:06:15.554 CST: AAA/BIND(00008CD6): Bind i/f
Dec 26 2025 10:06:15.572 CST: AAA/AUTHOR: auth_need : user= 'copyrightbanneruser' ruser= 'demo-sw'rem_addr= 'async' priv= 1 list= '' AUTHOR-TYPE= 'commands'
Dec 26 2025 10:06:16.032 CST: AAA/BIND(00008CD7): Bind i/f
Dec 26 2025 10:06:16.032 CST: AAA/BIND(00008CD8): Bind i/f
Dec 26 2025 10:06:16.034 CST: AAA/AUTHOR: auth_need : user= 'copyrightbanneruser' ruser= 'demo-sw'rem_addr= 'async' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Dec 26 2025 10:06:22.163 CST: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
Dec 26 2025 10:06:22.311 CST: AAA/AUTHOR (0x0): Pick method list 'default'
Dec 26 2025 10:06:22.784 CST: AAA/BIND(00008CD9): Bind i/f
Dec 26 2025 10:06:22.785 CST: AAA/BIND(00008CDA): Bind i/f
Dec 26 2025 10:06:22.800 CST: AAA/AUTHOR: auth_need : user= 'copyrightbanneruser' ruser= 'demo-sw'rem_addr= 'async' priv= 1 list= '' AUTHOR-TYPE= 'commands'
Dec 26 2025 10:06:23.259 CST: AAA/BIND(00008CDB): Bind i/f
Dec 26 2025 10:06:23.260 CST: AAA/BIND(00008CDC): Bind i/f
Dec 26 2025 10:06:23.262 CST: AAA/AUTHOR: auth_need : user= 'copyrightbanneruser' ruser= 'demo-sw'rem_addr= 'async' priv= 15 list= '' AUTHOR-TYPE= 'commands'
demo-sw(config)#
Dec 26 2025 10:07:17.517 CST: AAA/BIND(00008CDD): Bind i/f
Dec 26 2025 10:07:17.518 CST: AAA/BIND(00008CDE): Bind i/f
Dec 26 2025 10:07:17.535 CST: AAA/AUTHOR: auth_need : user= 'copyrightbanneruser' ruser= 'demo-sw'rem_addr= 'async' priv= 1 list= '' AUTHOR-TYPE= 'commands'
Dec 26 2025 10:07:18.009 CST: AAA/BIND(00008CDF): Bind i/f
Dec 26 2025 10:07:18.010 CST: AAA/BIND(00008CE0): Bind i/f
Dec 26 2025 10:07:18.013 CST: AAA/AUTHOR: auth_need : user= 'copyrightbanneruser' ruser= 'demo-sw'rem_addr= 'async' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Dec 26 2025 10:07:18.018 CST: HTTP:Enable sock read fd 4 failed
demo-sw(config)#
demo-sw#
Dec 26 2025 10:07:55.884 CST: AAA/AUTHOR: auth_need : user= 'ilay' ruser= 'demo-sw'rem_addr= '10.1.32.113' priv= 0 list= '' AUTHOR-TYPE= 'commands'
demo-sw#
demo-sw#
Dec 26 2025 10:07:55.885 CST: %SYS-5-CONFIG_I: Configured from console by ilay on vty1 (10.1.32.113)
demo-sw#sh run aaa
!
aaa authentication login default group ISE_Group
aaa authentication login WEB group ISE_Group local
aaa authentication login VTY group ISE_Group local
aaa authorization exec default group ISE_Group
aaa authorization exec WEB group ISE_Group
aaa authorization exec VTY group ISE_Group none
!
!
radius server ise1
address ipv4 10.0.3.251 auth-port 1645 acct-port 1646
key 7 14141B180F0B7B7977
!
!
aaa group server radius ISE_Group
server name ise1
!
aaa new-model
aaa session-id common
!
!
demo-sw# sh run
Dec 26 2025 10:07:58.335 CST: AAA/AUTHOR: auth_need : user= 'ilay' ruser= 'demo-sw'rem_addr= '10.1.32.113' priv= 1 list= '' AUTHOR-TYPE= 'commands'
Dec 26 2025 10:07:58.335 CST: AAA/AUTHOR: auth_need : user= 'ilay' ruser= 'demo-sw'rem_addr= '10.1.32.113' priv= 15 list= '' AUTHOR-TYPE= 'commands'
demo-sw# sh run | in http
destination transport-method http
rsakeypair http-key
ip http server
ip http authentication aaa
ip http secure-server
ip http secure-trustpoint localtrust
demo-sw#
=====
按照上面说的tacacs+支持原始的command授权,但我做了配置之后更绝望的事情出现了,web界面依赖的一个内置用户'copyrightbanneruser'也需要授权,但是ise上并没有创建这个用户,所以我用tacacs+也没验证成功=_=#。
不过额外测试出来一点有意思的事情,当我在CLI调整command授权设置的时候(例如:no ip http authentication aaa command-authorization 15 TAC15)能短暂规避掉'opyrightbanneruser'的授权,让我能成功登录到WEB上(只有很短的几秒钟)
这样看来cat3650上使用外部账户做WEB登录并不太靠谱。
ps:测试前我更新了一下os版本,从16.6.8 更新到 16.9.8. 至于16.12.x等以后有机会再测试吧
附件是我debug的另外一些信息,仅供参考
=============
To add some test information, in RADIUS authentication mode, I performed the following debugging steps:
'debug ip http all'
'debug aaa authentication'
'debug aaa authorization'
After configuring external authentication, the aaa message indicates that AUTHOR-TYPE='commands' is required, but only TACACS+ supports command authorization. Therefore, using RADIUS authentication for web login is basically impossible (AD/NPS/ISE...).
This feature may have been adjusted in version 17.x, which is why it worked correctly when testing with cat9200 previously.
Below is some information I collected during debugging:
=====
Dec 26 2025 10:06:15.059 CST: send ecrypt response msg: 0xAACB12E718, params 0xAACB12E508, ipc_channel 163
Dec 26 2025 10:06:15.059 CST: Length of marshalled msg 311
Dec 26 2025 10:06:15.060 CST: Encrypt response message sent succeeded
Dec 26 2025 10:06:15.554 CST: AAA/BIND(00008CD5): Bind i/f
Dec 26 2025 10:06:15.554 CST: AAA/BIND(00008CD6): Bind i/f
Dec 26 2025 10:06:15.572 CST: AAA/AUTHOR: auth_need : user= 'copyrightbanneruser' ruser= 'demo-sw'rem_addr= 'async' priv= 1 list= '' AUTHOR-TYPE= 'commands'
Dec 26 2025 10:06:16.032 CST: AAA/BIND(00008CD7): Bind i/f
Dec 26 2025 10:06:16.032 CST: AAA/BIND(00008CD8): Bind i/f
Dec 26 2025 10:06:16.034 CST: AAA/AUTHOR: auth_need : user= 'copyrightbanneruser' ruser= 'demo-sw'rem_addr= 'async' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Dec 26 2025 10:06:22.163 CST: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
Dec 26 2025 10:06:22.311 CST: AAA/AUTHOR (0x0): Pick method list 'default'
Dec 26 2025 10:06:22.784 CST: AAA/BIND(00008CD9): Bind i/f
Dec 26 2025 10:06:22.785 CST: AAA/BIND(00008CDA): Bind i/f
Dec 26 2025 10:06:22.800 CST: AAA/AUTHOR: auth_need : user= 'copyrightbanneruser' ruser= 'demo-sw'rem_addr= 'async' priv= 1 list= '' AUTHOR-TYPE= 'commands'
Dec 26 2025 10:06:23.259 CST: AAA/BIND(00008CDB): Bind i/f
Dec 26 2025 10:06:23.260 CST: AAA/BIND(00008CDC): Bind i/f
Dec 26 2025 10:06:23.262 CST: AAA/AUTHOR: auth_need: user= 'copyrightbanneruser' ruser= 'demo-sw'rem_addr= 'async' priv= 15 list= '' AUTHOR-TYPE= 'commands'
demo-sw(config)#
Dec 26 2025 10:07:17.517 CST: AAA/BIND(00008CDD): Bind i/f
Dec 26 2025 10:07:17.518 CST: AAA/BIND(00008CDE): Bind i/f
Dec 26 2025 10:07:17.535 CST: AAA/AUTHOR: auth_need : user= 'copyrightbanneruser' ruser= 'demo-sw'rem_addr= 'async' priv= 1 list= '' AUTHOR-TYPE= 'commands'
Dec 26 2025 10:07:18.009 CST: AAA/BIND(00008CDF): Bind i/f
Dec 26 2025 10:07:18.010 CST: AAA/BIND(00008CE0): Bind i/f
Dec 26 2025 10:07:18.013 CST: AAA/AUTHOR: auth_need : user= 'copyrightbanneruser' ruser= 'demo-sw'rem_addr= 'async' priv= 15 list= '' AUTHOR-TYPE= 'commands'
Dec 26 2025 10:07:18.018 CST: HTTP:Enable sock read fd 4 failed
demo-sw(config)#
demo-sw#
Dec 26 2025 10:07:55.884 CST: AAA/AUTHOR: auth_need : user= 'ilay' ruser= 'demo-sw'rem_addr= '10.1.32.113' priv= 0 list= '' AUTHOR-TYPE= 'commands'
demo-sw#
demo-sw#
Dec 26 2025 10:07:55.885 CST: %SYS-5-CONFIG_I: Configured from console by ilay on vty1 (10.1.32.113)
demo-sw#sh run aaa
!
aaa authentication login default group ISE_Group
aaa authentication login WEB group ISE_Group local
aaa authentication login VTY group ISE_Group local
aaa authorization exec default group ISE_Group
aaa authorization exec WEB group ISE_Group
aaa authorization exec VTY group ISE_Group none
!
!
radius server ise1
address ipv4 10.0.3.251 auth-port 1645 acct-port 1646
key 7 14141B180F0B7B7977
!
!
aaa group server radius ISE_Group
server name ise1
!
aaa new-model
aaa session-id common
!
!
demo-sw# sh run
Dec 26 2025 10:07:58.335 CST: AAA/AUTHOR: auth_need : user= 'ilay' ruser= 'demo-sw'rem_addr= '10.1.32.113' priv= 1 list= '' AUTHOR-TYPE= 'commands'
Dec 26 2025 10:07:58.335 CST: AAA/AUTHOR: auth_need : user= 'ilay' ruser= 'demo-sw'rem_addr= '10.1.32.113' priv= 15 list= '' AUTHOR-TYPE= 'commands'
demo-sw# sh run | in http
destination transport-method http
rsakeypair http-key
ip http server
ip http authentication aaa
ip http secure-server
ip http secure-trustpoint localtrust demo-sw#
=====
As mentioned above, TACACS+ supports native command authorization. However, after configuring it, an even more frustrating situation arose: a built-in user 'copyrightbanneruser' that the web interface relies on also requires authorization. But this user wasn't created on the ISE, so TACACS+ authentication failed. =_=#
However, an interesting additional test revealed that when I adjusted the command authorization settings in the CLI (e.g., `no ip http authentication aaa command-authorization 15 TAC15`), I could briefly bypass the authorization for 'copyrightbanneruser', allowing me to successfully log in to the web interface (for only a few seconds).
This suggests that using external accounts for web login on the Cat3650 is not very reliable.
ps: Before testing, I updated the OS version from 16.6.8 to 16.9.8. I'll test 16.12.x later when I have the chance.
Attached is some additional debugging information for reference only.
make sure you have configured AAA configuration correctly
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization defaulttry below commands :
no crypto pki trustpoint TP-self-signed
ip http secure-serverNPS side make sure the prv set correctly
shell:priv-lvl=15
lastly try rstarting web server :
no ip http secure-server
ip http secure-server
=====Preenayamo Vasudevam=====
***** Rate All Helpful Responses *****
provide more debug and logs what is not working, since i provided what worked for us
=====Preenayamo Vasudevam=====
***** Rate All Helpful Responses *****
This is a classic scenario where authentication works for one service (SSH) but authorization or specific attributes are missing for another (WebUI). The fact that SSH login with AD accounts is successful indicates your core AAA configuration (NPS server, RADIUS shared secret, AD integration, aaa new-model, aaa authentication login default group radius local, radius-server host ...) is largely correct.
The WEBSERVER-5-LOGIN_FAILED log entry means the switch's web server component (nginx) is rejecting the login after it attempts to process it, likely due to insufficient authorization or a missing privilege level.
Here's a breakdown of what's likely happening and how to fix it:
The Problem: Missing AAA Authorization for WebUI Access (Privilege Level)
While ip http authentication aaa tells the web server to use AAA for authentication, it doesn't automatically grant the necessary privilege level (usually privilege 15 for full admin access) to the authenticated user. SSH often defaults to privilege 1 if no authorization is explicitly defined, which is usually enough to get a basic prompt, but WebUI requires higher privileges to function.
You need to ensure two things:
1. The switch is configured to authorize users via AAA for EXEC (shell/UI) access.
2. Your NPS server is sending the correct RADIUS attribute to grant privilege 15 to the AD user.
---
Solution Steps:
1. Configure AAA Authorization on the Switch:
This command tells the switch to ask the RADIUS server (and then the local database as a fallback) what privilege level the user should have after successful authentication for "exec" (shell/UI) access.
configure terminal
aaa authorization exec default group radius local
end
write memory* aaa authorization exec: Specifies authorization for EXEC sessions (including console, vty, SSH, and WebUI).
* default: Applies this method list to all EXEC sessions unless a specific one is defined.
* group radius: Tries the RADIUS server first.
* local: If the RADIUS server is unreachable or doesn't respond, it falls back to the local username database.
2. Configure NPS to Send privilege 15:
Your NPS policy for the switch needs to send a RADIUS attribute that tells the Cisco device to grant privilege 15 to the authenticated user.
* On your NPS server:
1. Open Network Policy Server.
2. Navigate to Policies > Network Policies.
3. Edit the Network Policy that applies to your Cisco 3650 switch (the one allowing access based on your AD group).
4. Go to the Settings tab.
5. Scroll down and select Vendor Specific attributes.
6. Click Add.
7. Select Vendor-Specific and then Add.
8. Select Cisco as the Vendor.
9. Click Add Vendor Specific.
10. Select Cisco-AV-Pair as the attribute.
11. For the Attribute value, enter: shell:priv-lvl=15
* Important: Ensure there are no leading/trailing spaces.
12. Click OK on all the windows to save the changes.
* Explanation of shell:priv-lvl=15: This Cisco-specific AV-Pair (Attribute-Value Pair) tells the Cisco device that the authenticated user should be granted privilege 15, which is the highest privilege level and allows full administrative access.
3. Test the Configuration:
After making these changes, try logging into the WebUI again with your AD account.
4. Troubleshooting Steps (If it still fails):
* Test AAA on the Switch:
test aaa group radius <your_ad_username> <your_ad_password> new-code
* Look for "Authentication successful." and "Authorization successful."
* Crucially, check the output for "User privilege level is 15." If it's 1, 0, or missing, the NPS attribute is not being sent or applied correctly.
* Check NPS Logs:
* On your NPS server, open Event Viewer and go to Custom Views > Server Roles > Network Policy and Access Services.
* Look for recent events related to the authentication attempts from your switch. It will show if the policy was matched, if authentication was successful, and what attributes were sent.
* Debug AAA on the Switch:
terminal monitor
debug aaa authentication
debug aaa authorization
debug radius
* Try logging in again. Look for messages indicating RADIUS packets being sent and received, and especially the authorization decision and the privilege level assigned.
* no debug all when you're done.
* Clear Browser Cache/Incognito Mode: Sometimes browser caching of old credentials can interfere. Try an incognito window or clear your browser's cache.
Summary of Required Configuration:
On the Switch (3650):
aaa new-model
!
aaa authentication login default group radius local
aaa authorization exec default group radius local
!
radius server <RADIUS_SERVER_NAME>
address ipv4 <NPS_SERVER_IP> auth-port 1812 acct-port 1813
key <SHARED_SECRET>
!
radius-server host <NPS_SERVER_IP> auth-port 1812 acct-port 1813 key <SHARED_SECRET>
!
ip http server
ip http authentication aaa
ip http secure-serverOn the NPS Server (Network Policy):
* Conditions: Match your switch's IP, AD user group, etc.
* Settings > Vendor Specific > Add > Cisco-AV-Pair:
* shell:priv-lvl=15
By implementing these changes, your AD users should be able to successfully authenticate and authorize with privilege 15 for WebUI access on your Cisco 3650 switch.
Rockyw | If it solves your problem, please mark as answer. Thanks !
