Solved: Re: http authentication using aaa when tacacs server is down

paul.dulaba · ‎09-27-2005

I have aaa setup using tacacs and everything is working fine except for http authentication through a browser or Network Assistant when the tacacs server is down. For telnet and console connections, the authentication defaults to line when tacacs is down.

aaa new-model

aaa authentication login default group tacacs+ line

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting update newinfo

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default stop-only group tacacs+

aaa accounting commands 1 default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

!

ip http authentication aaa

!

tacacs-server host 10.161.161.20

tacacs-server key 111111

It has to have something with the fact that over http or CNA it connects to the router at level 15, but I've played with all sorts of different authorization commands and can't get it to work.

Richard Burts · ‎09-28-2005

Paul

What would you want to do for authentication if the TACACS server is down? For telnet and console access you can use line as the backup method since it is possible to configure a line password on the console and on the vty ports. What kind of backup method do you want for HTTP? The one that makes most sense to me would be to do local authentication to cover the situation where the server is down.

To use local authentication you will need to do the following things:

- create a local user definition (perhaps several if you have extensive security requirements).

- specify a special method for aaa authentication.

- specify that http use the special method.

The configuration might look something like this:

user tech1 password tech1

aaa authentication login http_auth group tacacs+ local

ip http authentication aaa login-authentication http_auth

Or you could decide to use the enable secret (or password depending on which is configured). The config might look something like this:

aaa authentication login http_auth group tacacs+ enable

ip http authentication aaa login-authentication http_auth

If you want some other backup method let us know what it is and we will see how it could be implemented.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎09-28-2005

Paul

What would you want to do for authentication if the TACACS server is down? For telnet and console access you can use line as the backup method since it is possible to configure a line password on the console and on the vty ports. What kind of backup method do you want for HTTP? The one that makes most sense to me would be to do local authentication to cover the situation where the server is down.

To use local authentication you will need to do the following things:

- create a local user definition (perhaps several if you have extensive security requirements).

- specify a special method for aaa authentication.

- specify that http use the special method.

The configuration might look something like this:

user tech1 password tech1

aaa authentication login http_auth group tacacs+ local

ip http authentication aaa login-authentication http_auth

Or you could decide to use the enable secret (or password depending on which is configured). The config might look something like this:

aaa authentication login http_auth group tacacs+ enable

ip http authentication aaa login-authentication http_auth

If you want some other backup method let us know what it is and we will see how it could be implemented.

HTH

Rick

HTH

Rick

paul.dulaba · ‎09-28-2005

I guess I was trying to make the impossible possible. I wanted to use the line as the backup on http authentication, not local. Currently on all the switches we only have a line password and an enable password. So by default, http authentication happens using the enable password. Now, I want it to use aaa, and then in aaa use tacacs as the primary and line as the backup. That doesn't seem to work. So I just tried the following:

aaa authentication login default group tacacs+ enable

ip http authentication aaa

The above still doesn't work when tacacs is down. I don't quite understand why http authentication will work with the enable password when it's directly specified like the following:

ip http authentication enable

But not as a backup method to tacacs(and tacacs is down) when it's using aaa authentication.

paul.dulaba · ‎09-28-2005

Nevermind, I got it to work with:

aaa authentication login default group tacacs+ enable

ip http authentication aaa

I guess I didn't wait long enough. This is acceptable. Thanks, for the comment on how passwords can be assigned to line and vty, but not http. It made me understand the relationship between how http authenticates be default using enable.