cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
755
Views
0
Helpful
3
Replies

Can someone help me with tacacs+ configuration on 881AP?

macase
Level 1
Level 1

I have tacacs+ configuration working for authenication against CLI and web GUI. Everything is working as one would expect with one exception, from the GUI if I click on the any of the links that takes you to the security pages I get prompted for authenication again. I enter my credentials and nothing happens, eventually I get an access denied. On the ACS server, the AP is in a device group that my account has priv 15 access to. Also on ACS, there are no failed attempts being logged for the activity. Has anyone seen this before and if so I am willing to try anything. I even upgraded to the latest IOS image for this device with the same results.

Help!!

Thanks,

Mark Case | CCNA, CCNAW

3 Replies 3

Are there successful authentications shown for the clicks that fail?

Can you post the relevant portions of the 881 configuration?

Here are the relevant lines of code, on the http part of the configuration you see; if I change the ip http authentication to local it works fine authenicating against a local account and I can access all portions of the GUI fine. The group csacseT is defined in the configuration; as well as ACL 99. However, when I specify csacseT for ip http aaa login-authenication, I get the following message: "Warning: Authentication list "csacseT" is not defined for LOGIN"

aaa group server tacacs+ csacseT
server x.x.x.x
server x.x.x.x

aaa authentication login default group csacseT local-case
aaa authentication login console local-case
aaa authentication enable default group csacseT enable
aaa authorization config-commands
aaa authorization exec default group csacseT local
aaa authorization reverse-access default group csacseT
aaa accounting exec default start-stop group csacseT
aaa accounting commands 15 default start-stop group csacseT
aaa accounting connection default start-stop group csacseT
aaa accounting system default start-stop group csacseT
!
aaa session-id common

no ip http server
ip http access-class 99
ip http authentication aaa login-authentication csacseT
ip http secure-server

I have opened a TAC case, the engineer is as puzzled as I am and is researching. as mentioned, the CLI authenication mechanism is working as expected.

oh yeah, forgot to mention that there are no failed attempts when this happenes. But when I successfully authenicated at the CLI I am seeing passed authenications. I can even login to the GUI with my TACACS acct and get a passed authenication, its just when I am clicking on the security links that this is happening; with no acitvity being logged. I even ran a debug and did not see any results.