Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
624
Views
0
Helpful
2
Replies

Cisco 3650 tacacs+ with SSH works, not for http to use wireless GUI

Erik Boss
Level 1
Level 1

‎03-03-2014 11:48 PM - edited ‎03-10-2019 09:29 PM

Hi

Last week I installed a brand new Cisco 3650 switch and the wireless option.

Everything works fine.

I also configured tacacs+. Login through SSH works fine.

Now I want to manage the wireless part from the GUI bij entering https://ip-address/wireless

Local authentication with priv 15 works fine.

Now I configured tacacs. After entering username password I received a blank screen.

After debugging, I got a SSl failed.

Mar  4 07:35:53.675: eah:  url=/wireless is for us with a secondary connection

Mar  4 07:35:53.675: eah: Secondary authentication required for realm priv_15_access

Mar  4 07:35:53.675: Tue, 04 Mar 2014 07:35:53 GMT <source address> /wireless auth_required

        Protocol = HTTP/1.1 Method = GET

Mar  4 07:35:53.675:

Mar  4 07:35:53.799: %HTTPS: SSL read fail (-6992)

Mar  4 07:35:58.400: eah:  url=/wireless is for us with a secondary connection

Mar  4 07:35:58.401: eah: Secondary authentication required for realm priv_15_access

Mar  4 07:35:58.401: HTTP AAA Login-Authentication List name: TACACS

Mar  4 07:35:58.401: HTTP AAA Login-Authentication List name: TACACS

Mar  4 07:35:58.401: TPLUS: Queuing AAA Authentication request 4673 for processing

Mar  4 07:35:58.401: TPLUS: processing authentication start request id 4673

Mar  4 07:35:58.401: TPLUS: Authentication start packet created for 4673(my username)

Mar  4 07:35:58.402: TPLUS: Using server <tacacs server IP>

Mar  4 07:35:58.407: TPLUS(00001241)/0/NB_WAIT/3AF752D4: Started 5 sec timeout

Mar  4 07:35:58.449: TPLUS(00001241)/0/NB_WAIT: socket event 2

Mar  4 07:35:58.450: TPLUS(00001241)/0/NB_WAIT: wrote entire 37 bytes request

Mar  4 07:35:58.450: TPLUS(00001241)/0/READ: socket event 1

Mar  4 07:35:58.450: TPLUS(00001241)/0/READ: Would block while reading

Mar  4 07:35:58.511: TPLUS(00001241)/0/READ: socket event 1

Mar  4 07:35:58.511: TPLUS(00001241)/0/READ: read entire 12 header bytes (expect 16 bytes data)

Mar  4 07:35:58.511: TPLUS(00001241)/0/READ: socket event 1

Mar  4 07:35:58.511: TPLUS(00001241)/0/READ: read entire 28 bytes response

Mar  4 07:35:58.511: TPLUS(00001241)/0/3AF752D4: Processing the reply packet

Mar  4 07:35:58.511: TPLUS: Received authen response status GET_PASSWORD (8)

Mar  4 07:35:58.512: TPLUS: Queuing AAA Authentication request 4673 for processing

Mar  4 07:35:58.512: TPLUS: processing authentication continue request id 4673

Mar  4 07:35:58.512: TPLUS: Authentication continue packet generated for 4673

Mar  4 07:35:58.512: TPLUS(00001241)/0/WRITE/3AFD3D3C: Started 5 sec timeout

Mar  4 07:35:58.512: TPLUS(00001241)/0/WRITE: wrote entire 26 bytes request

Mar  4 07:35:58.566: TPLUS(00001241)/0/READ: socket event 1

Mar  4 07:35:58.566: TPLUS(00001241)/0/READ: read entire 12 header bytes (expect 6 bytes data)

Mar  4 07:35:58.566: TPLUS(00001241)/0/READ: socket event 1

Mar  4 07:35:58.566: TPLUS(00001241)/0/READ: read entire 18 bytes response

Mar  4 07:35:58.567: TPLUS(00001241)/0/3AFD3D3C: Processing the reply packet

Mar  4 07:35:58.567: TPLUS: Received authen response status PASS (2)

Mar  4 07:35:58.656: HTTP: Priv level authorization success priv_level: 15

Mar  4 07:35:58.690: %HTTPS: SSL read fail (-6992)

Mar  4 07:35:59.096: eah:  urlhook called for url=/favicon.ico

Mar  4 07:35:59.096: eah: Not for us

Mar  4 07:35:59.096: eah:  urlhook called for url=/favicon.ico

Mar  4 07:35:59.096: eah: Not for us

Mar  4 07:35:59.096: eah:  urlhook called for url=/favicon.ico

Mar  4 07:35:59.096: eah: Not for us

Mar  4 07:35:59.097: eah:  urlhook called for url=/favicon.ico

Mar  4 07:35:59.097: eah: Not for us

Mar  4 07:35:59.097: eah:  urlhook called for url=/favicon.ico

Mar  4 07:35:59.097: eah: Not for us

Mar  4 07:35:59.097: eah:  urlhook called for url=/favicon.ico

Mar  4 07:35:59.097: eah: Not for us

Mar  4 07:35:59.097: eah:  urlhook called for url=/favicon.ico

Mar  4 07:35:59.097: eah: Not for us

Mar  4 07:35:59.097: eah:  urlhook called for url=/favicon.ico

Mar  4 07:35:59.097: eah: Not for us

So authentication seems fine to me.

Do I miss something in the ACS server?

Configuration for ip http login:

ip http secure-server

ip http authentication aaa login-authentication TACACS

ip http authentication aaa exec-authorization TACACS

ip http authentication aaa command-authorization 15 TACACS

Thanks!

2 people had this problem
Labels:
0 Helpful
2 Replies 2

Erik Boss
Level 1
Level 1

‎03-04-2014 12:16 AM

When I use IP HTTP then I got a blank page.

So this seems to be a fault in the selfsigned certificate.

But it won't give me a solution why i haven't any problems when I authenticate with a local account

0 Helpful

Joseph Vasanth Louis
Cisco Employee
Cisco Employee
In response to Erik Boss

‎09-29-2014 07:48 PM

hi Erik,

 

command auth is not supported for GUI for the IOS-XE boxes.

 

Also can you try dong the following to check if this is a config issue.

 

  1. I see that you have  used TACACS as a method-list. Can you try using “default”?
  2. To use “default”, you need to maje the following changes.

 

Aaa authentication login default  group  <server-grp>

Aaa authorization exec default group <server-grp>

 

On the http front, remove all the commands that you have configured below and only have this

 

Ip http authentication aaa


Can you paste the o/p of the folllowing commands?

 

sh run | sec http

sh run | sec aaa

 

Does http work instead of https?

 

0 Helpful
Customers Also Viewed These Support Documents