Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
8995
Views
0
Helpful
0
Comments

How to configure HTTP access to a router with TACACS+ authentication

TCC_2
Level 10
Level 10

‎06-22-2009 05:32 PM - edited ‎02-21-2020 09:56 PM

Core issue

Cisco routers permit a user to connect to a router using HTTP. You must explicitly enable this functionality and also implement the security mechanism to permit such connections. 

After using HTTP to log in to the router, the user is prompted for the username and password. After the authentication and authorization, the user is given a certain privilege level. That privilege could also allow the user to execute a certain set of specified user commands.

Note: Before implementing the procedures in this case, refer to Cisco Security Advisory on IOS HTTP Authorization Vulnerability.

Resolution

This is a sample configuration of TACACS+ authentication with Cisco IOS  Software Releases 11.3.3.T to 12.0.5.T:

aaa new-model !---Enable Authentication, Authorization and Accounting (AAA). aaa authentication login default tacacs+ aaa authorization exec default tacacs ip http server !--- Enable HTTP connectivity to the router. ip http authentication aaa|tacacs !---Specify AAA or TACACS authentication for HTTP connections. !---You can use either AAA or TACACS for these versions of Cisco IOS Software. tacacs-server host 171.68.118.101 !--- Specify the TACACS server IP address. tacacs-server key cisco

privilege exec L7 clear line !---Change the clear line command to a privilege Level 7 (L7) command. !---This example shows how users can be restricted from executing certain commands.

This is a sample configuration of TACACS+ authentication with Cisco IOS Software Releases 11.3.3.T to 12.0.5.T and later:

aaa new-model !---Enable AAA. aaa authentication login default group tacacs+ aaa authorization exec default group tacacs+ !---By default, use TACACS+ authentication and authorization. ip http server !--- Enable HTTP connectivity to the router. ip http authentication aaa !---Specify local authentication for HTTP connections. tacacs-server host 171.68.118.101 !--- Specify the TACACS+ server IP address. tacacs-server key cisco !--- Specify the TACACS+ server key. This must match the key on the server. 

privilege exec L7 clear line !---Change the clear line command to a privilege L7 command. !---This example shows how users can be restricted from executing certain commands.

This output was obtained from the Cisco Secure ACS for Windows (ACS) server:

  # ./ViewProfile -p 9900 -u one   User Profile Information   user = one{   profile_id = 27   profile_cycle = 1   password = clear "********"   default service=permit   service=shell {   set priv-lvl=15   }   }   # ./ViewProfile -p 9900 -u two   User Profile Information   user = two{   profile_id = 28   profile_cycle = 1   password = clear "********"   service=shell {   set priv-lvl=15   }   }   # ./ViewProfile -p 9900 -u three   User Profile Information   user = three{   profile_id = 29   profile_cycle = 1   password = clear "********"   default service=permit   }   # ./ViewProfile -p 9900 -u four   User Profile Information   user = four{   profile_id = 30   profile_cycle = 1   password = clear "********"   default service=permit   service=shell {   set priv-lvl=7   }   }

The users configured in this example experience this behavior when they attempt to connect:

Note: Ensure that the users are appropriately configured on the TACACS+ server. For more information, refer to the server documentation.

  • User one:     
    • The user passes Web authorization if the URL is entered as http://#.#.#.#.

  • After a Telnet to the router, the user can perform all commands after login authentication.

  • The user is in enable mode after login (show privilege is Level 15 [L15]).

  • If command authorization is added to the router, the user still succeeds in all commands.

   

  • User two:           
    • The user passes Web authorization if the URL is entered as http://#.#.#.#.
    • After Telnet to the router, user can perform all commands after login authentication.
    • User is in enable mode after login (show privilege is L15).
    • If command authorization is added to the router, user fails all the commands, as the server configuration does not authorize them.
       

  • User three:        
    • User fails Web authorization for not having a privilege level.
    • After Telnet to the router, user can perform all commands after login authentication.
    • User is in non-enable mode after login (show privilege is Level 1 [L1]).
    • If command authorization is added to the router, user still succeeds in all commands.
       

  • User four:        
    • User passes Web authorization if URL is entered as http://#.#.#.#/level/7/exec.
    • L1 commands plus the L7 clear line command appear.
    • After Telnet to the router, user can perform all commands after login authentication.
       

To address HTTP authentication problems, issue one of these commands:

  • debug aaa authentication: Displays information on AAA and TACACS+ authentication.

  • debug aaa authorization: Displays information on AAA and TACACS+ authorization.

  • debug tacacs: Displays information associated with TACACS.

  • debug ip http authentication: Displays the authentication method the router attempted and authentication-specific status messages.

For more information, refer to Sample Configuration: Local Authentication for HTTP Server Users.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents