08-16-2011 09:41 AM - edited 03-10-2019 06:19 PM
Accessing the access point via telnet radius authentication works with no problems. When I access via secure http I can authenticate, but I get level 1 or read access only. Can someone assist. Below is the config for the device.
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxx
!
logging buffered 16000 debugging
no logging console
no logging monitor
enable secret xxxxx
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication enable default enable
aaa authorization exec default group radius if-authenticated
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
no ip source-route
no ip gratuitous-arps
ip tcp synwait-time 10
ip domain name xxxxx
ip name-server 10.5.10.20
ip name-server 10.5.10.19
!
!
!
dot11 ssid 150Wireless
vlan 102
authentication open
authentication key-management wpa version 2
wpa-psk ascii xxxxx
!
power inline negotiation prestandard source
!
crypto pki trustpoint TP-self-signed
!
!
crypto pki certificate chain TP-self-signed
username xxxx privilege 15 secret xxxxx
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 102 mode ciphers aes-ccm
!
ssid xxxx
!
station-role root
!
interface Dot11Radio0.102
encapsulation dot1Q 102 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption vlan 102 mode ciphers aes-ccm
!
ssid xxxx
!
dfs band 3 block
channel dfs
station-role root
!
interface Dot11Radio1.102
encapsulation dot1Q 102 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.102
encapsulation dot1Q 102 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.5.102.6 255.255.255.0
no ip route-cache
!
ip default-gateway 10.5.102.1
no ip http server
ip http authentication aaa
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
logging trap debugging
logging 10.20.1.5
access-list 1 remark VTY Access
access-list 1 permit 10.20.0.0 0.0.3.255
access-list 1 permit 10.20.4.0 0.0.0.255
access-list 1 permit 10.20.100.0 0.0.0.255
access-list 1 permit 10.20.128.0 0.0.3.255
access-list 2 remark SNMP to NOC
access-list 2 permit 10.20.1.5
access-list 2 deny any log
snmp-server community xxxxx RO 2
snmp-server community xxxxx RW 2
snmp-server enable traps tty
radius-server host xx auth-port 1645 acct-port 1646
radius-server host xx auth-port 1645 acct-port 1646
radius-server key xxxxxx
bridge 1 route ip
!
!
!
line con 0
exec-timeout 5 0
logging synchronous
transport output all
line vty 0 4
access-class 1 in
exec-timeout 9 0
transport input telnet
transport output all
line vty 5 15
access-class 1 in
exec-timeout 9 0
transport input telnet
transport output all
!
scheduler interval 500
sntp server 10.20.0.1
sntp broadcast client
end
08-29-2011 03:37 AM
Hi Randy,
does your RADIUS server return the privilege level 15 as part of the authorization info? ([009\001] cisco-av-pair : "shell:priv-lvl=15")
You will need for this in order to authorize access to the GUI, as the commands used to compile the web page output require high privilege.
I hope this helps.
Regards,
Federico
08-29-2011 02:10 PM
Yes, my radius server is set to return the privilege level 15 using vendor specific and the value shell:priv-lvl=15. I do not have any issues with this setup, and gaining telnet access to our routers. HTTP access is working, but only grants level 1.
08-29-2011 09:47 PM
Have you tried:
ip http secure-server aaa
Cheers,
Fabio
08-30-2011 06:06 AM
That is not a valid command in my IOS version.
08-31-2011 07:08 AM
Add to your configuration:
aaa authorization exec web group radius local
ip http authentication aaa exec-authorization web
See if that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide