cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1975
Views
0
Helpful
1
Replies
Highlighted
Beginner

Help with http login privilige levels. Aironet AP-1100.

In CLI we have users log in at priv 1 and use "enable" to increase privilege and do configurations. This allows "accounting" of command history.

On the AIR-AP1121G-A-K9 (12.3(8)JED1) I cannot duplicate this for http login.

I can log in as a user at priv 1. When I try to go to a privileged link like "Security" I get prompted for a second login/pw. Nothing works here unless I have a second user defined at priv 15 and enter that login/pw. The problem is - that login/pw can be used to log in via http in the first place which bypasses accounting of the actual user. It also allows login to the CLI at priv 15 which I cannot permit.

To test I'm trying to use the most simple tests. No https, no radius, etc.

After extensive reading of documens and forums I am using this:

username test1 secret 5 abcdxxx

username test2 privilege 15 secret 5 efghxxx

enable secret 5 ijklxxx

aaa new-model

<--omit wireless stuff-->

aaa authentication login default local

aaa authorization exec default local

aaa authentication login HTTPonly local

aaa authorization exec HTTPonly local

aaa authorization commands 15 HTTPonly local

aaa cache profile admin_cache

all

aaa session-id common

ip http server

ip http authentication aaa login-authentication HTTPonly

ip http authentication aaa exec-authorization HTTPonly

ip http secure-server

1 REPLY 1
Highlighted
Beginner

Help with http login privilige levels. Aironet AP-1100.

I'm thinking that maybe it can't be done. I was trying to have the AP require a user level login and then require a second  "enable" password for enable privileges - with "straight to enable" not possible  from the initial login.

Here are some more attempts:

(p1 = user with default privileges, p15 = user defined with privilege 15)

(step up = can authenticate when some gui links result in secondary login dialog)

aaa authentication login default local

ip http server

no ip http secure-server

---Only allows login with no login name, just enable pwd---

aaa authentication login default local

ip http server

ip http authentication local

---Allows login with p1 or p15. Only p15 works for step-up---

aaa authorization exec http1 if-authenticated

aaa authorization commands 15 http1 local

ip http server

ip http authentication aaa exec-authorization http1

---Allows login with p1 or p15 user but no step-up if p1---

aaa authentication login default local

aaa authorization exec default local

aaa authorization exec http1 local

aaa authorization commands 15 http1 local

ip http server

ip http authentication aaa exec-authorization http1

---Allows login with p1 or p15 user but no step-up if p1---

aaa authentication login http1 enable

aaa authorization exec http1 local

aaa authorization commands 15 http1 local

ip http server

ip http authentication aaa login-authentication http1

ip http authentication aaa command-authorization 15 http1

no ip http secure-server

---Allows login with p1 or p15 only if using enable pw but no step-up if p1---

CreatePlease to create content