01-25-2008 09:08 AM - edited 03-10-2019 03:37 PM
I'm having trouble getting the internal HTTPS server to use AAA for authentication. I have a working AAA setup for VTY access using TACACS+ but I can't seem to get HTTPS to work.
aaa new-model
aaa authentication login console none
aaa authentication login netauth group tacacs+ local
aaa authorization exec default none
aaa accounting delay-start
aaa accounting exec netacc start-stop group tacacs+
aaa accounting commands 15 netacc stop-only group tacacs+
aaa accounting connection netacc start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
!
no ip http server
ip http access-class 99
ip http authentication aaa login-authentication netauth
ip http secure-server
The only "aaa authorization" line was added during troubleshooting. I don't use authorization.
TACACS is working fine and ACL 99 permits my source IP. A debug of ip http auth gives me this after entering my credentials:
095897: Jan 25 10:35:18.262 CST: HTTP AAA Login-Authentication List name: netauth
095898: Jan 25 10:35:18.262 CST: HTTP AAA picking up Exec-Authorization List name: default
095899: Jan 25 10:35:18.302 CST: HTTP: Authentication failed for level 15
I tried both a valid userid/passwd configured on the TACACS server as well as a local userid/passwd on the router (I use 'local' as a backup to TACACS). The TACACS server logs show a successful auth attempt. The router in question is running 12.4(15)T2 but I've run into this problem on numerous 12.4 and 12.3 releases for years.
I've run into this dozens of times in as many networks. I've never found a solution other than to use local auth and forget AAA. What am I missing?
Thanks
Justin
01-25-2008 10:53 AM
For Http access you need to have priv 15 defined for that user. And add authorization command
aaa authorization exec defult tacacs if-authenticated
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Regards,
~JG
Do rate helpful posts
01-25-2008 11:43 AM
JG,
Thanks for the reply. We don't use ACS here. We use an open-source TACACS+ server. So besides authentication the IOS HTTPS server requires authorization as well?
Thanks
Justin
01-25-2008 12:36 PM
Yes, need authorization also. Priv lvl falls under authorization head.
Regards,
~JG
04-24-2008 06:24 AM
I had the exact same problem with HTTP login when trying to use the Cisco SDM v2.5 installation. The AAA and IP HTTP server information at this link was very helpful:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
In my environment, by adding the following I was able to get the SDM to login using AAA an d TACACS:
aaa authorization exec default group tacacs+ local
ip http authentication aaa login-authentication default
-- Jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide