cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1998
Views
0
Helpful
1
Replies
Beginner

Help with http login privilige levels. Aironet AP-1100.

In CLI we have users log in at priv 1 and use "enable" to increase privilege and do configurations. This allows "accounting" of command history.

On the AIR-AP1121G-A-K9 (12.3(8)JED1) I cannot duplicate this for http login.

I can log in as a user at priv 1. When I try to go to a privileged link like "Security" I get prompted for a second login/pw. Nothing works here unless I have a second user defined at priv 15 and enter that login/pw. The problem is - that login/pw can be used to log in via http in the first place which bypasses accounting of the actual user. It also allows login to the CLI at priv 15 which I cannot permit.

To test I'm trying to use the most simple tests. No https, no radius, etc.

After extensive reading of documens and forums I am using this:

username test1 secret 5 abcdxxx

username test2 privilege 15 secret 5 efghxxx

enable secret 5 ijklxxx

aaa new-model

<--omit wireless stuff-->

aaa authentication login default local

aaa authorization exec default local

aaa authentication login HTTPonly local

aaa authorization exec HTTPonly local

aaa authorization commands 15 HTTPonly local

aaa cache profile admin_cache

all

aaa session-id common

ip http server

ip http authentication aaa login-authentication HTTPonly

ip http authentication aaa exec-authorization HTTPonly

ip http secure-server

1 REPLY 1
Highlighted
Beginner

Help with http login privilige levels. Aironet AP-1100.

I'm thinking that maybe it can't be done. I was trying to have the AP require a user level login and then require a second  "enable" password for enable privileges - with "straight to enable" not possible  from the initial login.

Here are some more attempts:

(p1 = user with default privileges, p15 = user defined with privilege 15)

(step up = can authenticate when some gui links result in secondary login dialog)

aaa authentication login default local

ip http server

no ip http secure-server

---Only allows login with no login name, just enable pwd---

aaa authentication login default local

ip http server

ip http authentication local

---Allows login with p1 or p15. Only p15 works for step-up---

aaa authorization exec http1 if-authenticated

aaa authorization commands 15 http1 local

ip http server

ip http authentication aaa exec-authorization http1

---Allows login with p1 or p15 user but no step-up if p1---

aaa authentication login default local

aaa authorization exec default local

aaa authorization exec http1 local

aaa authorization commands 15 http1 local

ip http server

ip http authentication aaa exec-authorization http1

---Allows login with p1 or p15 user but no step-up if p1---

aaa authentication login http1 enable

aaa authorization exec http1 local

aaa authorization commands 15 http1 local

ip http server

ip http authentication aaa login-authentication http1

ip http authentication aaa command-authorization 15 http1

no ip http secure-server

---Allows login with p1 or p15 only if using enable pw but no step-up if p1---