Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
472
Views
0
Helpful
2
Replies

AAA problem accessing 6500/CSM Gui with SecureID

james.robertson
Level 1
Level 1

‎12-18-2006 07:04 AM - edited ‎03-10-2019 02:53 PM

Hi Guys,

Currently having trouble with AAA auth using secureID tokens when trying to access the built in Ciscoview (v1.1) for the 6500 and CSM.

The current AAA works absolutely fine when telneting to the device using secureID and have set up http authentication to a local account. Bringing up the initial homepage for the 6500 also works fine using the local account - as soon as I try to access the CSM or 6500 I get prompted for the level 15 telnet authentication (which should be secureID and works normally) but if I enter this it just loops and asks for the credentials again.

I've pasted the aaa config below

aaa new-model

aaa authentication login default group tacacs+ enable

aaa accounting exec default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

aaa accounting system default stop-only group tacacs+

!

tacacs-server host x.x.16.28

tacacs-server timeout 10

tacacs-server directed-request

I've attached the debug aaa auth files

I have proved it works fine by disabling the CSAuth service on the ACS box rolling the whole lot back to the local enable password. This works an I can access the Ciscoview pages as expected

Any idea's??

James Robertson

Labels:
Preview file
3 KB
Preview file
3 KB
0 Helpful
2 Replies 2

Vivek Santuka
Cisco Employee
Cisco Employee

‎12-18-2006 11:27 AM

Hi James,

For http authentication via tacacs+ we will need to have the following :-

1. aaa authorization exec default group tacacs+ local

2. the user/user's group should have "privilege level" (under TACACS+ Settings) selected and set to 15.

Basically http authentication requires the user to have privilege 15 assigned by the tacacs server.

0 Helpful

james.robertson
Level 1
Level 1
In response to Vivek Santuka

‎12-18-2006 03:50 PM

Thanks vsantuka,

i do not have a problem with the http auth - this is covered with local auth account to get the initial GUI up and running.

The GUI itself uses Telnet to get the running config to display the details. Its this part of the auth that fails. Straight telnet from the same box works fine but trying to use the GUI it fails

Thanks

James Robertson

0 Helpful
Customers Also Viewed These Support Documents