09-01-2011 07:45 AM - edited 03-10-2019 06:21 PM
I am trying to configure a 3750 switch for AAA? Telnet and SSH work fine but CNA and HTTP is not working. Both SSH and Telnet need to authenticate using RADIUS but CNA/HTTP needs to authenticate using a local account because the local administrator only uses the CNA for management and the admins in TACACS use CLI. Here is what I have so far.
aaa new-model
aaa authentication login default local group tacacs+
aaa authentication login con line
aaa authentication login http_auth local enable
aaa authorization config-commands
aaa authorization exec default local group tacacs+
aaa authorization exec http_auth local
aaa authorization commands 1 default local group tacacs+
aaa authorization commands 15 http_auth local
aaa authorization network default local group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication http_auth
ip http authentication aaa exec-authorization http_auth
ip http authentication aaa command-authorization 15 http_auth
tacacs-server host X.X.X.X
tacacs-server directed-request
tacacs-server key 7 XXXXX
The debugs show the connection authenticating correctly.
170536: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170537: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170538: 48w1d: AAA/BIND(000003FA): Bind i/f
170539: 48w1d: AAA/AUTHEN/LOGIN (000003FA): Pick method list 'http_auth'
170540: 48w1d: AAA/AUTHOR (0x3FA): Pick method list 'http_auth'
170541: 48w1d: HTTP: Priv level authorization success priv_level: 15
170542: 48w1d: HTTP: Priv level granted 15
170543: 48w1d: AAA/BIND(000003FB): Bind i/f
170544: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170545: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170546: 48w1d: AAA/BIND(000003FC): Bind i/f
170547: 48w1d: AAA/AUTHEN/LOGIN (000003FC): Pick method list 'http_auth'
170548: 48w1d: AAA/AUTHOR (0x3FC): Pick method list 'http_auth'
170549: 48w1d: HTTP: Priv level authorization success priv_level: 15
170550: 48w1d: HTTP: Priv level granted 15
170551: 48w1d: AAA/BIND(000003FD): Bind i/f
170552: 48w1d: AAA: parse name=tty0 idb type=-1 tty=-1
170553: 48w1d: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
170554: 48w1d: AAA/MEMORY: create_user (0x632D26C) user='granto-mark' ruser='Switch' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=1 initial_task_id='0', vrf= (id=0)
170555: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): Port='tty0' list='' service=CMD
170556: 48w1d: AAA/AUTHOR/CMD: tty0 (1941738464) user='granto-mark'
170557: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV service=shell
170558: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd=show
170559: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd-arg=version
170560: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): send AV cmd-arg=<cr>
170561: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): found list "default"
170562: 48w1d: tty0 AAA/AUTHOR/CMD (1941738464): Method=LOCAL
170563: 48w1d: AAA/AUTHOR (1941738464): Post authorization status = PASS_ADD
170564: 48w1d: AAA/MEMORY: free_user (0x632D26C) user='granto-mark' ruser='Switch' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=1
170565: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170566: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170567: 48w1d: AAA/BIND(000003FE): Bind i/f
170568: 48w1d: AAA/AUTHEN/LOGIN (000003FE): Pick method list 'http_auth'
170569: 48w1d: AAA/AUTHOR (0x3FE): Pick method list 'http_auth'
170570: 48w1d: HTTP: Priv level authorization success priv_level: 15
170571: 48w1d: HTTP: Priv level granted 15
170572: 48w1d: AAA/BIND(000003FF): Bind i/f
170573: 48w1d: HTTP AAA Login-Authentication List name: http_auth
170574: 48w1d: HTTP AAA Exec-Authorization List name: http_auth
170575: 48w1d: AAA/BIND(00000400): Bind i/f
170576: 48w1d: AAA/AUTHEN/LOGIN (00000400): Pick method list 'http_auth'
170577: 48w1d: AAA/AUTHOR (0x400): Pick method list 'http_auth'
170578: 48w1d: HTTP: Priv level authorization success priv_level: 15
170579: 48w1d: HTTP: Priv level granted 15
170580: 48w1d: AAA/BIND(00000401): Bind i/f
Any help would be appriciated.
Thanks,
Robert
09-02-2011 07:55 AM
Upgrading the 3750's to c3750-ipservicesk9-mz.122-55.SE3 fixed the problem. The configuration above is the one that is working. Now my problem is that everythign was working but I upgraded my 2960's to c2960-lanbasek9-mz.122-58.SE2 to keep them at the same version as me 3750's and the authentication is broken.
02-20-2012 08:05 AM
Good day.
Have you made any progress? I currently have an issue similar to yours with the IOS upgrade. Please see the link below to my discussion.
Sincerely,
Marc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide