Resolution
In order to configure HTTP access to switch, this configuration is required on switch with Cisco IOS Software Release 12.2(37)SE:
tacacs-server host key
ip tacacs source-interface vlan
aaa cache profile admin_cache
all
aaa group server tacacs+ tac_admin
server
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
ip http server
ip http authentication aaa
aaa authentication login CON-HTTP cache tac_admin group tac_admin local
aaa authorization exec CON-HTTP cache tac_admin group tac_admin local
line con 0
login authentication CON-HTTP
authorization exec CON-HTTP
For Cisco IOS Software Release 12.2(25r)SE1, refer to these commands:
tacacs-server host key
ip tacacs source-interface vlan
aaa group server tacacs+ tac_admin
server
ip http server
ip http authentication aaa
aaa authentication login CON-HTTP cache tac_admin group tac_admin local
aaa authorization exec CON-HTTP cache tac_admin group tac_admin local
line con 0
login authentication CON-HTTP
authorization exec CON-HTTP
Note: On ACS, make sure that under Group user Shell(exec) is checked, Privilege Level is checked, and that value is 15.
Also check if the TACACS+ server Configuration is present. If TACACS+ server Configuration is not present configure the same.
If the authentication failed with TACACS+, then it will try to authenticate with local database. This kind of authentication will give priviledge level 1.
For more information on TACACS+ server Configuration, refer to | Identifying the TACACS+ Server Host and Setting the Authentication Key
For more information on configuring a priviledge level, refer to | Setting the Privilege Level for a Command