cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
360
Views
0
Helpful
8
Replies

Cannot login via GUI in 3850 switch

Hello,

 

I have 3850 switches with 16.3.6 IOS version.

We have Radius authentication for ssh with a local account as a fallback.

 

When i am trying to connect to a switch from any browser i get the below screen

 

Capture.PNG

 

I have used Windows AD credentials and local user but i couldn't connect in both cases. (Checked it multiple times that i use the correct credentials)

 

And the stranger thing in this case is, when i am trying to connect via gui, using any kind of credentials, my ssh permissions are changed from privilege 15 to enable. After few minutes i am able to connect via ssh with privilege 15.

 

Do you know why is this happening?? Is it something that i have to fix in configuration?

 

thank you

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cannot login via GUI in 3850 switch

I debugged aaa but i had not any indication about it. Authentication is successful but it prompts me in exec mode.

Maybe it's a bug in IOS, but this is something that i cannot answer.

 

For the http login i found the solution. The correct command for my case, where i don't use default method, is the below

 

ip http authentication aaa login-authentication AUTH_LIST

 

it works now!!

 

8 REPLIES 8
VIP Advisor

Re: Cannot login via GUI in 3850 switch

Hi there,

Have you configured:

!
ip http authentication aaa
!

...if so what does your aaa authentication login default  method look like?

 

Can you share the output of:

sh run | inc ip http

 

cheers,

Seb.

Re: Cannot login via GUI in 3850 switch

Hello Seb,

 

I suppose that despite i have not configured the ip http authentication aaa , i could login with local credentials.

Is this correct?

 

 

SW#sh run | inc ip http
ip http server
ip http authentication local
ip http secure-server


SW#sh run | i aaa
aaa new-model
aaa authentication login AUTH_LIST group radius local
aaa session-id common

Enthusiast

Re: Cannot login via GUI in 3850 switch

Hi you have to use,
ip http authentication aaa
command to enable radius accounts to web login.

regards,

Re: Cannot login via GUI in 3850 switch

Hello,

 

I just did it and didn't work. and the most weird thing is what i mentioned in the initial description. It changed privilege 15 to enable..

VIP Advisor

Re: Cannot login via GUI in 3850 switch

OK, thanks for sharing the ip http commands. If the suggestion didn't work can you please share the output of :

sh run | inc aaa

 

BTW, priv_15 *is* privileged EXEC mode. I'm not sure I understand your problem.

 

cheers,

Seb.

Re: Cannot login via GUI in 3850 switch

Hi Seb,

 

Maybe i didn't describe it correctly.

When i am connecting to device via ssh with my AD credentials, i have configured under VTYs privilege 15 and prompts me directly to privilege mode (SW#)

When i am trying to connect via browser and get the errors, if i try to login via ssh to device, i will be in exec mode (SW>)

 

How is this possible?

 

SW#sh run | inc aaa
aaa new-model
aaa authentication login AUTH_LIST group radius local
aaa session-id common

 

Highlighted
VIP Advisor

Re: Cannot login via GUI in 3850 switch

OK to use RADIUS for the HTTP authentication you need to update the default method, since you cannot specify any other method name for HTTP auth. Add the following:

 

!
aaa authentication login default group radius local
!

Regarding the issue where a failed HTTP login causes your next SSH session to initiate with a lower privilege level, I am not sure.

You would need to debug aaa authentication and see what the switch is doing with the RADIUS response. 

 

cheers,

Seb.

Re: Cannot login via GUI in 3850 switch

I debugged aaa but i had not any indication about it. Authentication is successful but it prompts me in exec mode.

Maybe it's a bug in IOS, but this is something that i cannot answer.

 

For the http login i found the solution. The correct command for my case, where i don't use default method, is the below

 

ip http authentication aaa login-authentication AUTH_LIST

 

it works now!!

 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards