Re: AAA and HTTP server

stevep · ‎02-27-2004

Hi All,

We have AAA enabled on all of our devices within the network but are unable to manage our Cat Switches via CMS. Authentication of users gaining access is performed on the ACS server. I have only used CMS before via authentication through the local database. Does anybody know of a workaround for this problem?

Many Thanks

Stevep

andrew.butterworth · ‎02-29-2004

For CMS you are required to have level 15 privilege. When you connect to a device you are by default given level 0 privilege, when you enter enable mode you are granted level 15 - this is where you need to be at to use CMS (or the http server).

I have managed this before by making the user a level 15 privilege user by default on the ACS Server - I can't remember exactly where when configuring the user on ACS, but there is definately an option for a user to have level 15 access by default.

Andy

Craig Norborg · ‎02-29-2004

I believe what you're looking for is this:

aaa authentication login default tacacs local

aaa authorization exec default local

ip http authentication aaa

Unless I'm too tired to remember, this should provide access to the router/switch via either telnet or http to use your configured tacacs server. A side effect will probably be that immediately upon logging in via telnet you will be in enable mode, desirable for some, but not others.

stevep · ‎03-01-2004

Thanks for your replies guys, but neither solutions work. I checked out our ACS server which was already setup to make all users a level 15 privilege user by default. Likewise for the other suggestion of:

aaa authentication login default tacacs local

aaa authorization exec default local

ip http authentication aaa

If TACACS+ is enabled and online then authentication will never fall back to local auth.

I did find a workaround though, with this command.

ip http authentication enable

This still allows for all users to be authenticated via AAA but http server will use the enable password. Not the best solution, but still a workaround.

Cheers

Stevep

jguemes · ‎03-02-2004

Hi:

CMS works only in two profiles:

READ-WRITE for users with prv. level 15

READ-ONLY for users with oterh prv levels.

If you want some kind of managenent try other tools provided by cisco´s http interface, like monitor switch at some prv level. This allows you to run some IOS commands on the web interface.

You should gain a priv. level access by using the URL http://device_IP/level/priv_level

You should also limit the commands asuthorized to that level by using tacacs+ or local authorization

Regs

Jose Manuel

jguemes · ‎03-03-2004

Hi:

It seems to work :-)

I tested with ACS 3.1 and a Cat 3550G-24T IOS 12.1(19)EA1a

You should firt define a Tacacs+ user group that assigns priv level 15 to the users, also you shoud restrict the commands that group can use.

You can do this by asigning the apropiate Shell Command authoritation set to the group.

When you access to the web interface, you are prompted for a level 15 username and pass: the username that has restrictions on the commands has priv level 15.

You can navigate as usual, but when apliying changes, command authorization is requested, and acts as configured in the Shell command authorization set. If a command is not granted, it cannot be executed and the web interface warns about when applying changes.

I added to the config:

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

ip http authentication aaa

and defined the appropiate on ACS.

Regs.