Solved: Re: AD Authentication for switch/router login

k.aumell · ‎07-30-2007

Not sure if this is the right forum for this or not.

I have sucessfully set up a switch to authenticate against an AD group for telnet login, then use an enable password shared by the three people in the group.

I'd like to setup ip http server the same way, but can't seem to get it to work. I used "ip http authentication aaa", but no dice, as I do not have a local aaa.

Any advice is greatly appreciated!

andrew.butterworth · ‎07-31-2007

HTTP Authentication requires Level-15 privileges so the user needs to have this by default. You can achieve this by passing a Cisco-AV-Pair from the Radius Server to the IOS device. The Cisco-AV-Pair is sent as a string as part of the Authentication Accept, for Level-15 privilege this is:

shell:priv-lvl=15

Bear in mind that if you use the same authentication method for telnet or SSH then your uses will automatically be at Level-15 privilege level.

I use this with MS IAS and have two polices defined that check for Windows Group Membership, one Group have Level-15 access, the others don't.

HTH

Andy

View solution in original post

srue · ‎07-30-2007

post your current AAA config sections.

Amit Singh · ‎07-30-2007

Please paste the device config. Also let us know where is the radius server located.

-amit singh

k.aumell · ‎07-30-2007

Here we go.

Thanks for the help.

royalblues · ‎07-30-2007

This link might help

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml

Narayan

please rate all posts

k.aumell · ‎07-30-2007

OK, looks good. I am going to make a couple of assumptions here:

I have updated the 3560 I'm using for test to the latest IOS available for it (12.2.25-SEE4)

so I am going to follow the "HTTP V1.1 Server - Before Cisco Bug ID CSCeb82510"

and do this:

aaa new-model

aaa authentication login CONSOLEandHTTP radius local

aaa authorization exec CONSOLEandHTTP radius local

!

ip http authentication aaa

!

line con 0

login authentication CONSOLEandHTTP

authorization exec CONSOLEandHTTP

Where "CONSOLEandHTTP" is replaced by my TRAuthList.

Does this sound correct? Fortunately this is a test switch sitting in my office, so I'm unconcerned if I have to wipe it. :)

Thanks

k.aumell · ‎07-30-2007

OK, I tried what I said above.

I'm still failing on http, but think I'm very very close. I attached the debug I did on ip http, and an updated config.

Many thanks for all the help on what is really a not-very-important issue, but helps me enormously locally.

andrew.butterworth · ‎07-31-2007

HTTP Authentication requires Level-15 privileges so the user needs to have this by default. You can achieve this by passing a Cisco-AV-Pair from the Radius Server to the IOS device. The Cisco-AV-Pair is sent as a string as part of the Authentication Accept, for Level-15 privilege this is:

shell:priv-lvl=15

Bear in mind that if you use the same authentication method for telnet or SSH then your uses will automatically be at Level-15 privilege level.

I use this with MS IAS and have two polices defined that check for Windows Group Membership, one Group have Level-15 access, the others don't.

HTH

Andy

k.aumell · ‎07-31-2007

ding ding ding.

That did the trick. I almost thought it hadn't, then realized I had gone back to ip http authentication enable. Changed it back to triple-a, and bingo.

Ultimately my config turned out as attached.

Very helpful.

I'd be curious how you have your groups and access levels configured, as I would still like to be able to give the help-desk folks the ability to check port configs for vlan access, speed/duplex settings, etc.

Thanks very much to all for your help.

andrew.butterworth · ‎07-31-2007

I don't think it's possible to have different privilege levels with HTTP Authentication. You could probably do it with AAA Authorisation but you would need ACS and then command-sets associated with users/groups. I have never configured this though, however it looks like there are commands available in IOS (for a 3550 I have at least) for this:

switch(config)#ip http authentication aaa ?

command-authorization Set method list for command authorization

exec-authorization Set method list for exec authorization

login-authentication Set method list for login authentication

Andy

k.aumell · ‎07-31-2007

No, I don't think with HTTP there's any choice. But an ability to at least get them telnet access to basic information would be good.

I've looked at those commands some, but haven't played with them yet.

Jagdeep Gambhir · ‎07-31-2007

Hi,

If you are looking for an ablity to make user issue some specific commands then you need to use tacacs instead of radius.

With tacacs /acs you have control what commands can any user issue and will give you total control on users.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/c.htm#wp697557

Regards,

~JG

calmichael · ‎08-04-2007

How did you configure the shell:priv-lvl=15 to IAS?

Thanks

Jagdeep Gambhir · ‎08-06-2007

Hi,

Check out this attachment. It explains all about your query.

Regards,

~JG

k.aumell · ‎08-06-2007

Wow. Cal, that is a really nice guide.

Once the fine folks here pointed me in the right direction, I went to IAS, highlighted remote access policies.

rightclicked my policy (in my case, ciscoauth) and hit properties.

Went to edit profile, then the "advanced" tab.

Add/ Cisco-AV-Pair, and under attribute values hit add, and shell:priv-lvl=15.

HTH