Thanks for letting us know

ckolkman1 · ‎01-15-2015

Hello all,

For a customer I'm trying to setup their Cisco router 881 to allow GUI access.
The GUI is working fine but it doesn't allow me to login, it keeps saying username/password incorrect.

#sh run | i ip http
ip http server
ip http port 8080
ip http access-class 20
ip http secure-server
#

#sh run | i user
username lisa password 7 ***
username korton privilege 15 secret 5 $1$TMf6$.HGshzSRJLQt5GLevyrM.1
max-users 50
ppp pap sent-username kpnINTE2131bb0 password 7 ***
By using this system, the user consents to such interception, monitoring,
#

#sh run | i aaa
aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
#

Am I doing something wrong?
We are taking this customer over from another IT company so the config isn't made by us except the ip http etc..

Richard Burts · ‎01-15-2015

If the response says username incorrect then it probably is an issue with authentication. But just to be sure check these things:

- the config specifies using port 8080 so make sure you are using the correct port in your browser.

- the access class uses access list 20 to determine what source addresses are permitted so make sure that your address is included in that access list.

Can you do ip http authentication?

perhaps there is some alternative you can specify for this.

HTH

Rick

HTH

Rick

ckolkman1 · ‎01-15-2015

Thanks for your answer!

I'm using port 8080 indeed.

My IP is in the ACL.

I changed to ip http authentication local

Strange thing now is that as soon as I go to the ip:8080 I get prompted for a username/password (wasn't before) and my credentials are being accepted.

It logs me on and opens a popup which starts the CP Express, where I get prompted for a username/password again, and that's where I get stuck again because it doesn't accept my credentials.

Richard Burts · ‎01-15-2015

Thanks for the additional information. I had thought that the port number and the access list were not likely to be the problem but also thought it was good to eliminate them as possible reasons.

It is interesting that now you are getting an immediate prompt for credentials after configuring http server authentication local, and that your credentials are authenticated here. That is pretty much what I anticipated. The fact that there is an additional prompt shows that this is coming from CP Express and the failure to authenticate reflects some issue within CP Express. I am not sure what that issue would be.

I have another suggestion which you might try. Instead of http with port 8080 what if you use https to access the router with the secure server? I wonder if that makes a difference to CP Express?

HTH

Rick

HTH

Rick

ckolkman1 · ‎01-15-2015

Thanks for the fast reply again!

Strange thing is that I cannot connect to the https while it is enabled in the config:

#sh run | i ip http
ip http server
ip http port 8080
ip http access-class 20
ip http authentication local
ip http secure-server

Print from ACL 20:

#show access-lists 20
Standard IP access list 20
    10 permit 192.168.0.0, wildcard bits 0.0.0.255 (764 matches)
    20 permit 192.168.0.0, wildcard bits 0.0.255.255
    30 permit 192.0.0.0, wildcard bits 0.255.255.255

IP I'm connecting from is 192.168.0.2

Richard Burts · ‎01-15-2015

Thanks for letting us know that even though secure server is enabled in the config that you are not able to connect to it. I wonder if it also needs to have some authentication method specified. What do you get if you do ip http secure-server ?

HTH

Rick

HTH

Rick

Cannot login into Cisco CP Express