Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1191
Views
0
Helpful
14
Replies

AP1200 + ACS + Enable

Taruka001
Level 1
Level 1

‎01-12-2005 12:03 AM - edited ‎03-10-2019 01:57 PM

My goal is to be able to telnet to the AP1200 by using my Windows account. To make this possible I have configured the AP to use the ACS server for authentication and configured the ACS to verify the username and the password from an external database.

When I telnet I can log on with my Windows credentials but have priv 1. It does not matter what I do on the ACS server to get priv 15, it stay's priv 1.

User Setup > Advanced TACACS+ Settings > Max Privilige for any device (Level 15)

Tacacs+ Enable Password Either "Use External password" or "User separate password".

When I try to change to enable mode I get % Error in Authentication.

There is besides the obvious setting mentioned above not much to find on this topic.

Anybody any idea on what to check and try out?

Labels:
0 Helpful
14 Replies 14

will.shaw
Level 1
Level 1

‎01-12-2005 12:49 AM

In the TACACS+ Settings section, have you ticked the 'Shell(exec)' option?

If yes then it could be an issue with the aaa config on the AP. Can you provide details of the aaa config on the AP?

0 Helpful

Taruka001
Level 1
Level 1
In response to will.shaw

‎01-12-2005 01:51 AM

Thanks for the answer.

The user I am logging on with is part of a group. The group has the setting Shell (exec) ticked (TACACS+ Settings), and I tried to specify the Privilige Level 15 but with no result.

With debug ip http authentication turned on I get a lot of the following.

*Mar 2 13:15:04.019: setting privlevel to 1

*Mar 2 13:15:04.019: HTTP: Authentication for url '/' '/' level 1 privless '/'

*Mar 2 13:15:04.021: HTTP: authentication required, no authentication information was provided

*Mar 2 13:15:09.471: setting privlevel to 1

*Mar 2 13:15:09.471: HTTP: Authentication for url '/' '/' level 1 privless '/'

*Mar 2 13:15:09.471: HTTP: Authentication username = 'my-user-name' priv-level = 1 auth-type = aaa

*Mar 2 13:15:09.777: setting privlevel to 1

*Mar 2 13:15:09.777: HTTP: Authentication for url '/config.js' '/config.js' level 1 privless '/config.js'

*Mar 2 13:15:09.778: HTTP: Authentication username = 'my-user-name' priv-level = 1 auth-type = a

But it allows me to get in.

When I click on "Security" in the webinterface I am prompted with the logon box. When I enter my credentials I get the following information in the debug window

*Mar 2 13:19:14.552: setting privlevel to 15

*Mar 2 13:19:14.552: HTTP: Authentication for url '/ap_sec.htm' '/ap_sec.htm' level 15 privless '/ap_sec.htm'

*Mar 2 13:19:14.552: HTTP: Authentication username = 'my-user-name' priv-level = 15 auth-type = aaa

*Mar 2 13:19:14.596: HTTP: Authentication failed

Does this help?

0 Helpful

will.shaw
Level 1
Level 1
In response to Taruka001

‎01-12-2005 02:22 AM

Is there any information on the ACS in the TACACS+ Administration or the Failed attempts section?

0 Helpful

Taruka001
Level 1
Level 1
In response to will.shaw

‎01-12-2005 02:37 AM

Sorry, no messages in the failed authentication attempts. Only messages in the passed authentication attempts.

0 Helpful

will.shaw
Level 1
Level 1
In response to Taruka001

‎01-12-2005 02:56 AM

Doubt this is an issue with your ACS server. Can you provide the aaa config? Also what have you set the 'ip http authentication' line to?

Which software version are you running?

0 Helpful

Taruka001
Level 1
Level 1
In response to will.shaw

‎01-12-2005 03:17 AM

Personally I am also starting the suspect the AP.

AP software is 12.2(13)JA1

The config on the AP for AAA is pasted below.

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

server IPA.IPB.IPC.IPD auth-port 1645 acct-port 1646

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login default local group tac_admin group rad_admin

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local group tac_admin group rad_admin

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

radius-server host IPA.IPB.IPC.IPD auth-port 1645 acct-port 1646 key 7 ##################

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

0 Helpful

will.shaw
Level 1
Level 1
In response to Taruka001

‎01-12-2005 03:34 AM

You don't appear to be using tacacs+, just radius. Radius won't give you anymore than level1 access

try

aaa group server tacacs+ tac_admin

server ipa.ipb.ipc.ipd

ip http authentication aaa

tacacs-server host ipa.ipb.ipc.ipd key 7 ############

you will also need to define the AP on the ACS as a tacacs+ device as well as a radius device, this is possible if use a different name for the device on the ACS.

0 Helpful

Taruka001
Level 1
Level 1
In response to will.shaw

‎01-13-2005 03:15 AM

Oke, this is my config on the AP now.

aaa group server tacacs+ tac_admin

server A.B.C.D

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_admin

server A.B.C.D auth-port 1645 acct-port 1646

!

aaa authentication login default local group tac_admin group rad_admin

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local group tac_admin group rad_admin

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

tacacs-server host A.B.C.D key #########

tacacs-server directed-request

radius-server host A.B.C.D auth-port 1645 acct-port 1646 key 7 ############

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

On the ACS server I have added a device with the same IP address as the AP but with a different name. Selected Authenticate Using TACACS+ (Cisco IOS) and added the devive to the same group. Restarted the ACS services and tried again.

It allows me to log on with the HTTP interface but on level 1. No failed attempts in the login. When I click on Security and provide the username and password it is not accepted. Again no message in the failed attempts but I do get one in the Passed Authentication log.

13/01/2005 12:16:27 Authen OK USERNAME CISCO Access Points A.B.C.D. tty2 E.F.G.H

Any more ideas for me to try? I am getting desperate.

0 Helpful

will.shaw
Level 1
Level 1
In response to Taruka001

‎01-13-2005 04:36 AM

In your cisco ACS, check in the Tacacs+ accounting and the radius Accounting to see which is being used for the authentication.

Make sure in your AP config you are using the

#ip http authentication aaa

My aaa configuration is setup as the following:

aaa new-model

!

!

aaa group server radius rad_eap

server #.#.#.# auth-port 1645 acct-port 1646

!

aaa group server tacacs+ tac_admin

server #.#.#.#

!

aaa authentication login default local group tac_admin group rad_admin

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local group tac_admin group rad_admin

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

tacacs-server host #.#.#.# key 7 #############

tacacs-server directed-request

radius-server attribute 32 include-in-access-req format %h

radius-server host #.#.#.# auth-port 1645 acct-port 1646 key #####

radius-server key 7 #####

radius-server vsa send accounting

ip http authentication aaa

0 Helpful

Taruka001
Level 1
Level 1
In response to will.shaw

‎01-13-2005 05:52 AM

Hi again,

The config is below. I did the commands you gave and it did not work. Nothing shows up in the RADIUS and TACACS accounting logs. No a single row.

aaa new-model

!

!

aaa group server radius rad_eap

server #.#.#.# auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

server #.#.#.# auth-port 1645 acct-port 1646

!

aaa group server tacacs+ tac_admin

server #.#.#.#

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login default local group tac_admin group rad_admin

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local group tac_admin group rad_admin

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

tacacs-server host #.#.#.# key SHARED-SECRET

tacacs-server directed-request

radius-server host #.#.#.# auth-port 1645 acct-port 1646 key 7 SHARED-SECRET

radius-server attribute 32 include-in-access-req format %h

radius-server key 7 shared_secret

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

13/01/2005 14:46:45 Authen OK MYNAME CISCO Access Points A.B.C.D tty6 E.F.G.H

13/01/2005 14:47:26 Authen OK MYNAME CISCO Access Points A.B.C.D tty2 E.F.G.H

After the first login attempt I added rad_admin line as well. Still nothing in the logs and no level 15 access for me...

0 Helpful

will.shaw
Level 1
Level 1
In response to Taruka001

‎01-13-2005 06:06 AM

You might want to raise a TAC on this one, it will be difficult to diagnose the issue without being able to debug etc and see the acs config etc.

It should work ok from what you've told me, however it still looks like it's using Radius to authenticate.

It doesn't look like your using radius for user authentication, if this is the case then I would take all the radius config off and work from a blank config. Make sure you configure a local username with level 15 access before doing this.

0 Helpful

Taruka001
Level 1
Level 1
In response to will.shaw

‎01-13-2005 06:48 AM

Thanks for your help... This morning a router 1600 was made redundant so I have 'stolen' it to work with this one.

According to all information everyhting is OK but for some reason it does not work.

I'll see what comes out of the TAC case.

Thanks again for the help

0 Helpful

simonstoll
Level 1
Level 1
In response to Taruka001

‎01-14-2005 07:29 AM

Hi

If I understand you correct, you want to telnet on the device and logging in directly to the enable mode. That's the only thing you can do with Radius, there is no way to login first to user mode, then to go to enable mode with radius authentication. To do so, you have to send the following line as a Vendor Specific Attribute.

priv-level = 15

(I'm not 100% sure about the syntax, as I'm not the my office to check it out correctly)

you should find information about this in the AP Documentation.

Hope that helps you on your problem.

Simon

0 Helpful

dopenfield
Level 1
Level 1
In response to Taruka001

‎02-10-2005 09:26 AM

Curious if you got any resolution from TAC, I'm seeing the same thing here.

The logs on the ACS server do show a passed authentication but authorization fail and the message on the telnet session says authentication unsuccessful. I can even remove the authorization line from the AAA config on the AP.

Also when I do a Show AAA Servers on the Radius server shows up not TACACS. I can do a show TACACS and show that the correct IP address is configured but all of the entries are 0.

0 Helpful
Customers Also Viewed These Support Documents