Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4940
Views
0
Helpful
11
Replies

Cannot login via GUI in 3850 switch

Go to solution
anousakisioannis
Level 1
Level 1

‎02-07-2019 12:48 AM - edited ‎03-08-2019 05:16 PM

Hello,

 

I have 3850 switches with 16.3.6 IOS version.

We have Radius authentication for ssh with a local account as a fallback.

 

When i am trying to connect to a switch from any browser i get the below screen

 

Capture.PNG

 

I have used Windows AD credentials and local user but i couldn't connect in both cases. (Checked it multiple times that i use the correct credentials)

 

And the stranger thing in this case is, when i am trying to connect via gui, using any kind of credentials, my ssh permissions are changed from privilege 15 to enable. After few minutes i am able to connect via ssh with privilege 15.

 

Do you know why is this happening?? Is it something that i have to fix in configuration?

 

thank you

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
anousakisioannis
Level 1
Level 1
In response to Seb Rupik

‎02-07-2019 02:47 AM

I debugged aaa but i had not any indication about it. Authentication is successful but it prompts me in exec mode.

Maybe it's a bug in IOS, but this is something that i cannot answer.

 

For the http login i found the solution. The correct command for my case, where i don't use default method, is the below

 

ip http authentication aaa login-authentication AUTH_LIST

 

it works now!!

 

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎02-07-2019 12:51 AM

Hi there,

Have you configured:

!
ip http authentication aaa
!

...if so what does your aaa authentication login default  method look like?

 

Can you share the output of:

sh run | inc ip http

 

cheers,

Seb.

0 Helpful

Go to solution
anousakisioannis
Level 1
Level 1
In response to Seb Rupik

‎02-07-2019 01:02 AM

Hello Seb,

 

I suppose that despite i have not configured the ip http authentication aaa , i could login with local credentials.

Is this correct?

 

 

SW#sh run | inc ip http
ip http server
ip http authentication local
ip http secure-server


SW#sh run | i aaa
aaa new-model
aaa authentication login AUTH_LIST group radius local
aaa session-id common

0 Helpful

Go to solution
Kasun Bandara
VIP
VIP
In response to anousakisioannis

‎02-07-2019 01:13 AM

Hi you have to use,
ip http authentication aaa
command to enable radius accounts to web login.

regards,
Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

Go to solution
anousakisioannis
Level 1
Level 1
In response to Kasun Bandara

‎02-07-2019 01:22 AM

Hello,

 

I just did it and didn't work. and the most weird thing is what i mentioned in the initial description. It changed privilege 15 to enable..

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to anousakisioannis

‎02-07-2019 01:58 AM

OK, thanks for sharing the ip http commands. If the suggestion didn't work can you please share the output of :

sh run | inc aaa

 

BTW, priv_15 *is* privileged EXEC mode. I'm not sure I understand your problem.

 

cheers,

Seb.

0 Helpful

Go to solution
anousakisioannis
Level 1
Level 1
In response to Seb Rupik

‎02-07-2019 02:15 AM

Hi Seb,

 

Maybe i didn't describe it correctly.

When i am connecting to device via ssh with my AD credentials, i have configured under VTYs privilege 15 and prompts me directly to privilege mode (SW#)

When i am trying to connect via browser and get the errors, if i try to login via ssh to device, i will be in exec mode (SW>)

 

How is this possible?

 

SW#sh run | inc aaa
aaa new-model
aaa authentication login AUTH_LIST group radius local
aaa session-id common

 

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to anousakisioannis

‎02-07-2019 02:35 AM

OK to use RADIUS for the HTTP authentication you need to update the default method, since you cannot specify any other method name for HTTP auth. Add the following:

 

!
aaa authentication login default group radius local
!

Regarding the issue where a failed HTTP login causes your next SSH session to initiate with a lower privilege level, I am not sure.

You would need to debug aaa authentication and see what the switch is doing with the RADIUS response. 

 

cheers,

Seb.

0 Helpful

Go to solution
anousakisioannis
Level 1
Level 1
In response to Seb Rupik

‎02-07-2019 02:47 AM

I debugged aaa but i had not any indication about it. Authentication is successful but it prompts me in exec mode.

Maybe it's a bug in IOS, but this is something that i cannot answer.

 

For the http login i found the solution. The correct command for my case, where i don't use default method, is the below

 

ip http authentication aaa login-authentication AUTH_LIST

 

it works now!!

 

0 Helpful

Go to solution
Robin Burns
Level 1
Level 1
In response to anousakisioannis

‎03-18-2020 08:51 AM

I have the same problem, that the https "webui" page won't recognize any credentials, local or radius.  16.3.6 on a 3850 stack.  However we already had the command in place described here as a fix.  New ideas?

0 Helpful

Go to solution
ssarvadi@register-iri.com
Level 1
Level 1
In response to Robin Burns

‎03-19-2020 02:15 AM - edited ‎03-19-2020 02:56 AM

 
0 Helpful

Go to solution
anousakisioannis
Level 1
Level 1
In response to Robin Burns

‎03-19-2020 02:57 AM

nothing new from my side

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card