Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
1
Replies

TACACS+ failing at web login, succeeding at SSH login.

Go to solution
skaighin69
Level 1
Level 1

‎02-19-2015 05:57 AM - edited ‎03-10-2019 10:28 PM

I have a tacacs+ server configured (tac_plus freeware).  I have an AP configured to use tacacs+ then local as the default authentication method.  Username/password authentication works fine at the SSH/vty and Console login prompts.  However, it fails when trying to access the web interface.  When trying to access http://[access point ip]/ it prompts for a login:

The server [ap ip] is asking for your username and password.  The server reports that it is from Level_15_access.

 

If I put in my tacacs credentails, the authentication prompt just pops up again.  

If I add ip http authentication aaa login-authentication [name of authentication list], it will permit access.  I was under the impression that I shouldn't need to add this if tacacs is configured as the default authentication method.  

 

Current Config:

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login TACAL group tacacs+ local
aaa authorization exec default group tacacs+ local  
aaa authorization commands 15 default group tacacs+ local 
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common

tacacs-server host [tacacs+ server IP] key 7 [password]
tacacs-server directed-request
ip http server
ip http authentication aaa login-authentication TACAL
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎02-19-2015 05:41 PM

It has been a while since I have done AAA on the HTTP part of a switch. However, looking at my notes i only used:

ip http authentication aaa

Basically without specifying the method. Give that a try and let me know if it works. If it doesn't do a debug on tacacs authentications and post the output here. 

 

Thank you for rating helpful posts!

View solution in original post

0 Helpful
1 Reply 1

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎02-19-2015 05:41 PM

It has been a while since I have done AAA on the HTTP part of a switch. However, looking at my notes i only used:

ip http authentication aaa

Basically without specifying the method. Give that a try and let me know if it works. If it doesn't do a debug on tacacs authentications and post the output here. 

 

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents