Ok, it already had ip http secure-server.  I added ip http server, and now it says:

"Unable to connect.  Authentication failed."  I wasn't even given a chance to type in credentials.

Do you have this command?

ip http authen loca

I actually had that in the config when I started this thread, and removed it.  I added it back in after you mentioned it, and I tested both ways, says authentication failed on both.

by a mix of disabling/enabling CDP on the 3850 and closing and restarting the CNA, I got it to recognize the 3850, and allow me to update the stored credentials.  Now, it's just now showing the 3850 in the list on the Topology View (shows in the Map though).

Are you running .1 code on the 3850? .0 has already been deferred, just a thought. Also did you set an enable secret? I've seen the cna be very picky and want admin/enable secret to work.

Sent from Cisco Technical Support iPad App

Oddly, I put the 3850 into production yesterday (2 stacked 3850's)...and once again I'm getting "authentication failed" from the CNA on my PC.  I tried cycling CDP off and on again, no success. 

These all exist in the config file:

ip http server

ip http secure-server

ip http authentication local

I can telnet in with the setup username and secret, and can enable with the secret..but if I try using CNA or even through Internet Explorer, I get auth failed. 

Not sure what's going on?

have you set your enable secret? Set that and then use admin/xxxxx  (xxx = enable secret)

Yes, as I stated I can enable with the secret through telnet (yes, the enable secret is set).

In the CNA I've tried admin/xxx, I've tried no username and just the xxx, all kick back.

Not sure what to tell you.  I did a recreate the other day for CNA and the 3850 and litterally just added an enable secret and turned on the server, had no problems.  If you have console access into the switch, you might be able to check the log after an unsuccessful attempt via the CNA and see if it writes an relevant logs.  YOu may also try an upgrade to CNA version 5.8.6.

I upgraded to 5.8.6 yesterday.

Should I try removing the local login?  I do have console access, but I don't know the exact log to tail for the login issue.

I would strip it back down and keep it simple, make sure you always have a local log/pass so you dont get locked out.  If you run a 'show log' after an unsuccessful login attempt, if its printed, you will see it, it will be obvious. 

I tested that "show log" and it didn't show an unsuccessful logon attempt.  Do I have to turn that on in debug?

I turned on "login on-failure log", and it spit out the attempts in the console as they were happening.  I did notice that when in the CNA just trying to "discover" the 3850 by it's IP address, it immediately logged authentication failures in the console several times before prompting me for user/pass in the CNA, as if it was trying cached credentials.  I have already unchecked "encrypt and store device credentials" in the CNA, and moved the "Password-store" files to try to get it to not used cached, but I think it is anyways.