10-05-2011 10:24 AM - edited 03-10-2019 06:27 PM
In CLI we have users log in at priv 1 and use "enable" to increase privilege and do configurations. This allows "accounting" of command history.
On the AIR-AP1121G-A-K9 (12.3(8)JED1) I cannot duplicate this for http login.
I can log in as a user at priv 1. When I try to go to a privileged link like "Security" I get prompted for a second login/pw. Nothing works here unless I have a second user defined at priv 15 and enter that login/pw. The problem is - that login/pw can be used to log in via http in the first place which bypasses accounting of the actual user. It also allows login to the CLI at priv 15 which I cannot permit.
To test I'm trying to use the most simple tests. No https, no radius, etc.
After extensive reading of documens and forums I am using this:
username test1 secret 5 abcdxxx
username test2 privilege 15 secret 5 efghxxx
enable secret 5 ijklxxx
aaa new-model
<--omit wireless stuff-->
aaa authentication login default local
aaa authorization exec default local
aaa authentication login HTTPonly local
aaa authorization exec HTTPonly local
aaa authorization commands 15 HTTPonly local
aaa cache profile admin_cache
all
aaa session-id common
ip http server
ip http authentication aaa login-authentication HTTPonly
ip http authentication aaa exec-authorization HTTPonly
ip http secure-server
10-05-2011 03:45 PM
I'm thinking that maybe it can't be done. I was trying to have the AP require a user level login and then require a second "enable" password for enable privileges - with "straight to enable" not possible from the initial login.
Here are some more attempts:
(p1 = user with default privileges, p15 = user defined with privilege 15)
(step up = can authenticate when some gui links result in secondary login dialog)
aaa authentication login default local
ip http server
no ip http secure-server
---Only allows login with no login name, just enable pwd---
aaa authentication login default local
ip http server
ip http authentication local
---Allows login with p1 or p15. Only p15 works for step-up---
aaa authorization exec http1 if-authenticated
aaa authorization commands 15 http1 local
ip http server
ip http authentication aaa exec-authorization http1
---Allows login with p1 or p15 user but no step-up if p1---
aaa authentication login default local
aaa authorization exec default local
aaa authorization exec http1 local
aaa authorization commands 15 http1 local
ip http server
ip http authentication aaa exec-authorization http1
---Allows login with p1 or p15 user but no step-up if p1---
aaa authentication login http1 enable
aaa authorization exec http1 local
aaa authorization commands 15 http1 local
ip http server
ip http authentication aaa login-authentication http1
ip http authentication aaa command-authorization 15 http1
no ip http secure-server
---Allows login with p1 or p15 only if using enable pw but no step-up if p1---
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide