05-05-2021 08:54 AM
Hi guys,
I am visiting a remote office with 4221 router. I dont work with CISCO so I trying to get to WebUi to avoid CLI. Currently I cannot even SSH and have to specifically Telnet from PUTTY. WebUI is accessible, but it refuses my credentials (Wrong Credentials. Please Login again.) which are the same I use for Telnet.
*May 5 15:44:52.660: %WEBSERVER-5-LOGIN_FAILED: SIP0: : Login Un-Successful from host 172.20.15.23 by user 'admin'
I tried to do my own research on how to configure Local Authentication for HTTP Server Users and found just few varations on commands from this article (https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/13852-http-1.html#local)
No change. It doesnt accept both my telnet credentials and users I created myself. wasnt able to find anything else (super unstable 3G connectivity only). Can you give me some pointers? This is my sanitized running config:
Building configuration... Current configuration : 4647 bytes ! ! Last configuration change at 15:41:41 UTC Wed May 5 2021 ! version 16.6 service timestamps debug datetime msec service timestamps log datetime msec platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname XXX ! boot-start-marker boot-end-marker ! ! enable secret 5 XXXX enable password XXX ! aaa new-model ! ! aaa authentication login default local ! ! ! ! ! ! aaa session-id common ! ip dhcp excluded-address 172.20.18.1 172.20.18.10 ip dhcp excluded-address 172.20.18.129 172.20.18.139 ip dhcp excluded-address 172.20.15.1 172.20.15.10 ip dhcp excluded-address 172.20.15.129 172.20.15.139 ip dhcp excluded-address 172.20.16.1 172.20.16.10 ip dhcp excluded-address 172.20.16.129 172.20.16.139 ip dhcp excluded-address 172.20.17.1 172.20.17.10 ip dhcp excluded-address 172.20.17.129 172.20.17.139 ip dhcp excluded-address 172.20.18.126 ip dhcp excluded-address 172.20.17.254 ip dhcp excluded-address 172.20.17.126 ip dhcp excluded-address 172.20.16.126 ip dhcp excluded-address 172.20.16.254 ip dhcp excluded-address 172.20.15.126 ip dhcp excluded-address 172.20.15.254 ! ip dhcp pool BATIMENT_A network 172.20.18.0 255.255.255.128 dns-server 8.8.8.8 domain-name XXX netbios-name-server 172.20.15.5 default-router 172.20.18.1 lease 0 12 ! ip dhcp pool BATIMENT_B network 172.20.17.128 255.255.255.128 default-router 172.20.17.129 dns-server 8.8.8.8 domain-name XX netbios-name-server 172.20.15.5 lease 0 12 ! ip dhcp pool BATIMENT_C network 172.20.15.0 255.255.255.128 default-router 172.20.15.1 dns-server 8.8.8.8 domain-name XX netbios-name-server 172.20.15.5 lease 0 12 ! ip dhcp pool BATIMENT_D network 172.20.15.128 255.255.255.128 domain-name XX netbios-name-server 172.20.15.5 dns-server 8.8.8.8 default-router 172.20.15.129 lease 0 12 ! ip dhcp pool BATIMENT_E network 172.20.16.0 255.255.255.128 default-router 172.20.16.1 dns-server 8.8.8.8 netbios-name-server 172.20.15.5 domain-name XX lease 0 12 ! ip dhcp pool BATIMENT_F network 172.20.16.128 255.255.255.128 domain-name XX netbios-name-server 172.20.15.5 dns-server 8.8.8.8 default-router 172.20.16.129 lease 0 12 ! ip dhcp pool BATIMENT_G network 172.20.17.0 255.255.255.128 default-router 172.20.17.1 dns-server 172.20.15.5 netbios-name-server 172.20.15.5 domain-name XX lease 0 12 ! ! ! ! ! ! ! ! ! ! subscriber templating ! ! multilink bundle-name authenticated ! ! ! ! ! ! license udi pid XX snXX diagnostic bootup level minimal spanning-tree extend system-id ! ! ! username XXX privilege 15 password 0 XXX username XXX privilege 15 password 0 XX username XX password 0 XX privelege 15 username XXX privilege 7 password 0 XX username XX privilege 15 password 0 XXX ! redundancy mode none ! ! ! ! ! ! ! ! interface GigabitEthernet0/0/0 ip address dhcp ip nat outside negotiation auto ! interface GigabitEthernet0/0/1 no ip address ip nat inside negotiation auto ! interface GigabitEthernet0/0/1.10 encapsulation dot1Q 10 ip address 172.20.18.1 255.255.255.128 ip nat inside ! interface GigabitEthernet0/0/1.20 encapsulation dot1Q 20 ip address 172.20.17.129 255.255.255.128 ip nat inside ! interface GigabitEthernet0/0/1.30 encapsulation dot1Q 30 ip address 172.20.15.1 255.255.255.128 ip nat inside ! interface GigabitEthernet0/0/1.40 encapsulation dot1Q 40 ip address 172.20.15.129 255.255.255.128 ip nat inside ! interface GigabitEthernet0/0/1.50 encapsulation dot1Q 50 ip address 172.20.16.1 255.255.255.128 ip nat inside ! interface GigabitEthernet0/0/1.60 encapsulation dot1Q 60 ip address 172.20.16.129 255.255.255.128 ip nat inside ! interface GigabitEthernet0/0/1.70 encapsulation dot1Q 70 ip address 172.20.17.1 255.255.255.128 ip nat inside ! ip nat inside source list 100 interface GigabitEthernet0/0/0 overload ip forward-protocol nd ip http server ip http authentication aaa ip http secure-server ! ! access-list 100 permit ip 172.20.15.0 0.0.0.127 any access-list 100 permit ip 172.20.15.128 0.0.0.127 any access-list 100 permit ip 172.20.16.0 0.0.0.127 any access-list 100 permit ip 172.20.16.128 0.0.0.127 any access-list 100 permit ip 172.20.17.0 0.0.0.127 any access-list 100 permit ip 172.20.17.128 0.0.0.127 any access-list 100 permit ip 172.20.18.0 0.0.0.127 any ! ! ! ! ! ! control-plane ! ! line con 0 transport input none stopbits 1 line vty 0 4 password XXX ! wsma agent exec ! wsma agent config ! wsma agent filesys ! wsma agent notify ! ! end
Solved! Go to Solution.
05-06-2021 12:35 AM
05-05-2021 09:03 AM
I do not see any SSH config, can you post show ip ssh output.
Since you are masked username , do you have user called admin ?
you can use debug to see what is wrong :
debug ip http authentication debug aaa authentication debug aaa authorization
05-06-2021 12:27 AM
Thanks for the tip! Cannot say it makes much sense to me. What I have configured is user "admin", but the log is showing copyrightbanneruser
*May 6 07:16:34.790: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *May 6 07:16:34.791: AAA/AUTHOR (0x0): Invalid method list id=0x0 *May 6 07:16:34.791: %WEBSERVER-5-LOGIN_FAILED: SIP0: : Login Un-Successful from host 172.20.15.80 by user 'admin' *May 6 07:16:34.796: AAA/BIND(00004E99): Bind i/f *May 6 07:16:34.796: AAA/BIND(00004E9A): Bind i/f *May 6 07:16:34.804: AAA/AUTHOR: auth_need : user= 'copyrightbanneruser' ruser= 'RouterHostName'rem_addr= 'async' priv= 1 list= '' AUTHOR-TYPE= 'commands' *May 6 07:16:34.987: AAA/BIND(00004E9B): Bind i/f *May 6 07:16:34.987: AAA/BIND(00004E9C): Bind i/f *May 6 07:16:34.989: AAA/AUTHOR: auth_need : user= 'copyrightbanneruser' ruser= 'RouterHostName'rem_addr= 'async' priv= 15 list= '' AUTHOR-TYPE= 'commands'
05-06-2021 12:35 AM
Fixed by
aaa authorization exec default local
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide