cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6132
Views
5
Helpful
3
Replies

HTTP authentication

Joseph.Rehling
Beginner
Beginner

I am trying to get AAA authentication for HTTP to use radius, and seem to be having problems with setting the priviledge level. It works fine with SSH login, but doesn't work with web management. The model is a WS-CBS3130X-S-F running 12.2(58)SE1 with http version 1.001.002...

Config is as follows:

aaa new-model

aaa authentication login VTYSandHTTP group radius local

aaa authorization exec VTYSandHTTP group radius local

ip http server

ip http authentication aaa login-authentication VTYSandHTTP

ip http authentication aaa exec-authorization VTYSandHTTP

ip http secure-server

radius server <Server Name>

address ipv4 <IP of Server> auth-port 1645 acct-port 1646

key <Key>

line vty 0 4

authorization exec VTYSandHTTP

login authentication VTYSandHTTP

transport input ssh

line vty 5 15

authorization exec VTYSandHTTP

login authentication VTYSandHTTP

transport input ssh


This is what I get when I try to log on to HTTP

HTTP AAA Login-Authentication List name: VTYSandHTTP

HTTP AAA Login-Authentication List name: VTYSandHTTP

HTTP: Authentication failed for level 15

1 ACCEPTED SOLUTION

Accepted Solutions

Dev Vishwakarma
Cisco Employee
Cisco Employee

Joseph,

Your configuration is absolutely correct. However, you are hitting a bug on 12.2(58)SE train,

CSCtq55319 ip http authentication aaa does not work

duplicated by

CSCtq94595    HTTP AAA Authentication does not work any more after upgrade to 12.2.58S

In order to fix this, please upgrade to 15.0(1)SE1.

Note: You need to also ensure the RADIUS server is sending the "shell:priv-lvl=15" in cisco-av-pair for this to work.

Regards,

Dev

View solution in original post

3 REPLIES 3

Dev Vishwakarma
Cisco Employee
Cisco Employee

Joseph,

Your configuration is absolutely correct. However, you are hitting a bug on 12.2(58)SE train,

CSCtq55319 ip http authentication aaa does not work

duplicated by

CSCtq94595    HTTP AAA Authentication does not work any more after upgrade to 12.2.58S

In order to fix this, please upgrade to 15.0(1)SE1.

Note: You need to also ensure the RADIUS server is sending the "shell:priv-lvl=15" in cisco-av-pair for this to work.

Regards,

Dev

Really appreciate the information. Calling support since the 3130 does not show a anything other than the 12.2 train. It does not look like 15.0(1)SE1 is released. If it is, it is not available to me to be downloaded.

A couple of additional notes. At this time, 15.0 (any flavor) is not released for the 3130 switches. However, I downloaded 12.2(55)SE5, which was released a month or two ago, and it appears to be working for this issue. The only issue I would note is that 12.2(58)SE1 wants newer commands that will not work if you roll back. You need to make sure you know a local account to get back in, or you can use the legacy commands with 12.2(58)SE1 that will work with 12.2(55)SE5 as well.

For example:

The following will not work on 12.2(55)SE5

radius server

address ipv4 auth-port 1645 acct-port 1646

key

The following will work on both.

radius-server auth-port 1645 acct-port 1646 key


You get an error on 12.2.(58)SE1 telling you that this command is depreciated, but it works fine for both 12.2(58)SE1 and 12.2(55)SE5

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: