cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4939
Views
0
Helpful
11
Replies

Cannot login via GUI in 3850 switch

Hello,

 

I have 3850 switches with 16.3.6 IOS version.

We have Radius authentication for ssh with a local account as a fallback.

 

When i am trying to connect to a switch from any browser i get the below screen

 

Capture.PNG

 

I have used Windows AD credentials and local user but i couldn't connect in both cases. (Checked it multiple times that i use the correct credentials)

 

And the stranger thing in this case is, when i am trying to connect via gui, using any kind of credentials, my ssh permissions are changed from privilege 15 to enable. After few minutes i am able to connect via ssh with privilege 15.

 

Do you know why is this happening?? Is it something that i have to fix in configuration?

 

thank you

1 Accepted Solution

Accepted Solutions

I debugged aaa but i had not any indication about it. Authentication is successful but it prompts me in exec mode.

Maybe it's a bug in IOS, but this is something that i cannot answer.

 

For the http login i found the solution. The correct command for my case, where i don't use default method, is the below

 

ip http authentication aaa login-authentication AUTH_LIST

 

it works now!!

 

View solution in original post

11 Replies 11

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Have you configured:

!
ip http authentication aaa
!

...if so what does your aaa authentication login default  method look like?

 

Can you share the output of:

sh run | inc ip http

 

cheers,

Seb.

Hello Seb,

 

I suppose that despite i have not configured the ip http authentication aaa , i could login with local credentials.

Is this correct?

 

 

SW#sh run | inc ip http
ip http server
ip http authentication local
ip http secure-server


SW#sh run | i aaa
aaa new-model
aaa authentication login AUTH_LIST group radius local
aaa session-id common

Hi you have to use,
ip http authentication aaa
command to enable radius accounts to web login.

regards,
Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Hello,

 

I just did it and didn't work. and the most weird thing is what i mentioned in the initial description. It changed privilege 15 to enable..

OK, thanks for sharing the ip http commands. If the suggestion didn't work can you please share the output of :

sh run | inc aaa

 

BTW, priv_15 *is* privileged EXEC mode. I'm not sure I understand your problem.

 

cheers,

Seb.

Hi Seb,

 

Maybe i didn't describe it correctly.

When i am connecting to device via ssh with my AD credentials, i have configured under VTYs privilege 15 and prompts me directly to privilege mode (SW#)

When i am trying to connect via browser and get the errors, if i try to login via ssh to device, i will be in exec mode (SW>)

 

How is this possible?

 

SW#sh run | inc aaa
aaa new-model
aaa authentication login AUTH_LIST group radius local
aaa session-id common

 

OK to use RADIUS for the HTTP authentication you need to update the default method, since you cannot specify any other method name for HTTP auth. Add the following:

 

!
aaa authentication login default group radius local
!

Regarding the issue where a failed HTTP login causes your next SSH session to initiate with a lower privilege level, I am not sure.

You would need to debug aaa authentication and see what the switch is doing with the RADIUS response. 

 

cheers,

Seb.

I debugged aaa but i had not any indication about it. Authentication is successful but it prompts me in exec mode.

Maybe it's a bug in IOS, but this is something that i cannot answer.

 

For the http login i found the solution. The correct command for my case, where i don't use default method, is the below

 

ip http authentication aaa login-authentication AUTH_LIST

 

it works now!!

 

I have the same problem, that the https "webui" page won't recognize any credentials, local or radius.  16.3.6 on a 3850 stack.  However we already had the command in place described here as a fix.  New ideas?

 

nothing new from my side

Review Cisco Networking for a $25 gift card