Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8695
Views
5
Helpful
3
Replies

HTTP authentication

Go to solution
Joseph.Rehling
Level 1
Level 1

‎03-20-2012 10:39 AM - edited ‎03-10-2019 06:55 PM

I am trying to get AAA authentication for HTTP to use radius, and seem to be having problems with setting the priviledge level. It works fine with SSH login, but doesn't work with web management. The model is a WS-CBS3130X-S-F running 12.2(58)SE1 with http version 1.001.002...

Config is as follows:

aaa new-model

aaa authentication login VTYSandHTTP group radius local

aaa authorization exec VTYSandHTTP group radius local

ip http server

ip http authentication aaa login-authentication VTYSandHTTP

ip http authentication aaa exec-authorization VTYSandHTTP

ip http secure-server

radius server <Server Name>

address ipv4 <IP of Server> auth-port 1645 acct-port 1646

key <Key>

line vty 0 4

authorization exec VTYSandHTTP

login authentication VTYSandHTTP

transport input ssh

line vty 5 15

authorization exec VTYSandHTTP

login authentication VTYSandHTTP

transport input ssh


This is what I get when I try to log on to HTTP

HTTP AAA Login-Authentication List name: VTYSandHTTP

HTTP AAA Login-Authentication List name: VTYSandHTTP

HTTP: Authentication failed for level 15

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dev Vishwakarma
Cisco Employee
Cisco Employee

‎03-22-2012 04:35 AM

Joseph,

Your configuration is absolutely correct. However, you are hitting a bug on 12.2(58)SE train,

CSCtq55319 ip http authentication aaa does not work

duplicated by

CSCtq94595    HTTP AAA Authentication does not work any more after upgrade to 12.2.58S

In order to fix this, please upgrade to 15.0(1)SE1.

Note: You need to also ensure the RADIUS server is sending the "shell:priv-lvl=15" in cisco-av-pair for this to work.

Regards,

Dev

View solution in original post

3 Replies 3

Go to solution
Dev Vishwakarma
Cisco Employee
Cisco Employee

‎03-22-2012 04:35 AM

Joseph,

Your configuration is absolutely correct. However, you are hitting a bug on 12.2(58)SE train,

CSCtq55319 ip http authentication aaa does not work

duplicated by

CSCtq94595    HTTP AAA Authentication does not work any more after upgrade to 12.2.58S

In order to fix this, please upgrade to 15.0(1)SE1.

Note: You need to also ensure the RADIUS server is sending the "shell:priv-lvl=15" in cisco-av-pair for this to work.

Regards,

Dev

Go to solution
Joseph.Rehling
Level 1
Level 1
In response to Dev Vishwakarma

‎03-22-2012 06:09 AM

Really appreciate the information. Calling support since the 3130 does not show a anything other than the 12.2 train. It does not look like 15.0(1)SE1 is released. If it is, it is not available to me to be downloaded.

0 Helpful

Go to solution
Joseph.Rehling
Level 1
Level 1
In response to Joseph.Rehling

‎03-26-2012 05:04 PM

A couple of additional notes. At this time, 15.0 (any flavor) is not released for the 3130 switches. However, I downloaded 12.2(55)SE5, which was released a month or two ago, and it appears to be working for this issue. The only issue I would note is that 12.2(58)SE1 wants newer commands that will not work if you roll back. You need to make sure you know a local account to get back in, or you can use the legacy commands with 12.2(58)SE1 that will work with 12.2(55)SE5 as well.

For example:

The following will not work on 12.2(55)SE5

radius server

address ipv4 auth-port 1645 acct-port 1646

key

The following will work on both.

radius-server auth-port 1645 acct-port 1646 key


You get an error on 12.2.(58)SE1 telling you that this command is depreciated, but it works fine for both 12.2(58)SE1 and 12.2(55)SE5

0 Helpful
Customers Also Viewed These Support Documents