cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
585
Views
0
Helpful
5
Replies
Beginner

http authentication

Accessing the access point via telnet radius authentication works with no problems.  When I access via secure http I can authenticate, but I get level 1 or read access only.  Can someone assist.  Below is the config for the device. 

no service pad

service tcp-keepalives-in

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname xxxx

!

logging buffered 16000 debugging

no logging console

no logging monitor

enable secret xxxxx

!

aaa new-model

!

!

aaa authentication login default group radius local

aaa authentication enable default enable

aaa authorization exec default group radius if-authenticated

!

aaa session-id common

clock timezone CST -6

clock summer-time CDT recurring

no ip source-route

no ip gratuitous-arps

ip tcp synwait-time 10

ip domain name xxxxx

ip name-server 10.5.10.20

ip name-server 10.5.10.19

!

!

!

dot11 ssid 150Wireless

   vlan 102

   authentication open

   authentication key-management wpa version 2

   wpa-psk ascii xxxxx

!

power inline negotiation prestandard source

!

crypto pki trustpoint TP-self-signed

!

!

crypto pki certificate chain TP-self-signed

username xxxx privilege 15 secret xxxxx

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 102 mode ciphers aes-ccm

!

ssid xxxx

!

station-role root

!

interface Dot11Radio0.102

encapsulation dot1Q 102 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption vlan 102 mode ciphers aes-ccm

!

ssid xxxx

!

dfs band 3 block

channel dfs

station-role root

!

interface Dot11Radio1.102

encapsulation dot1Q 102 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

!

interface FastEthernet0.102

encapsulation dot1Q 102 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.5.102.6 255.255.255.0

no ip route-cache

!

ip default-gateway 10.5.102.1

no ip http server

ip http authentication aaa

ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

logging trap debugging

logging 10.20.1.5

access-list 1 remark VTY Access

access-list 1 permit 10.20.0.0 0.0.3.255

access-list 1 permit 10.20.4.0 0.0.0.255

access-list 1 permit 10.20.100.0 0.0.0.255

access-list 1 permit 10.20.128.0 0.0.3.255

access-list 2 remark SNMP to NOC

access-list 2 permit 10.20.1.5

access-list 2 deny   any log

snmp-server community xxxxx RO 2

snmp-server community xxxxx RW 2

snmp-server enable traps tty

radius-server host xx auth-port 1645 acct-port 1646

radius-server host xx auth-port 1645 acct-port 1646

radius-server key xxxxxx

bridge 1 route ip

!

!

!

line con 0

exec-timeout 5 0

logging synchronous

transport output all

line vty 0 4

access-class 1 in

exec-timeout 9 0

transport input telnet

transport output all

line vty 5 15

access-class 1 in

exec-timeout 9 0

transport input telnet

transport output all

!

scheduler interval 500

sntp server 10.20.0.1

sntp broadcast client

end

5 REPLIES 5
Highlighted
Cisco Employee

http authentication

Hi Randy,

does your RADIUS server return the privilege level 15 as part of the authorization info? ([009\001] cisco-av-pair : "shell:priv-lvl=15")

You will need for this in order to authorize access to the GUI,  as the commands used to compile the web page output require high  privilege.

I hope this helps.

Regards,

Federico

Beginner

Re: http authentication

Yes, my radius server is set to return the privilege level 15 using vendor specific and the value shell:priv-lvl=15.  I do not have any issues with this setup, and gaining telnet access to our routers.  HTTP access is working, but only grants level 1. 

Re: http authentication

Have you tried:

ip http secure-server aaa

Cheers,

Fabio

Beginner

Re: http authentication

That is not a valid command in my IOS version. 

Enthusiast

http authentication

Add to your configuration:

aaa authorization exec web group radius local

ip http authentication aaa exec-authorization web

See if that helps.