02-07-2019 12:48 AM - edited 03-08-2019 05:16 PM
Hello,
I have 3850 switches with 16.3.6 IOS version.
We have Radius authentication for ssh with a local account as a fallback.
When i am trying to connect to a switch from any browser i get the below screen
I have used Windows AD credentials and local user but i couldn't connect in both cases. (Checked it multiple times that i use the correct credentials)
And the stranger thing in this case is, when i am trying to connect via gui, using any kind of credentials, my ssh permissions are changed from privilege 15 to enable. After few minutes i am able to connect via ssh with privilege 15.
Do you know why is this happening?? Is it something that i have to fix in configuration?
thank you
Solved! Go to Solution.
02-07-2019 02:47 AM
I debugged aaa but i had not any indication about it. Authentication is successful but it prompts me in exec mode.
Maybe it's a bug in IOS, but this is something that i cannot answer.
For the http login i found the solution. The correct command for my case, where i don't use default method, is the below
ip http authentication aaa login-authentication AUTH_LIST
it works now!!
02-07-2019 12:51 AM
Hi there,
Have you configured:
! ip http authentication aaa !
...if so what does your aaa authentication login default method look like?
Can you share the output of:
sh run | inc ip http
cheers,
Seb.
02-07-2019 01:02 AM
Hello Seb,
I suppose that despite i have not configured the ip http authentication aaa , i could login with local credentials.
Is this correct?
SW#sh run | inc ip http
ip http server
ip http authentication local
ip http secure-server
SW#sh run | i aaa
aaa new-model
aaa authentication login AUTH_LIST group radius local
aaa session-id common
02-07-2019 01:13 AM
02-07-2019 01:22 AM
Hello,
I just did it and didn't work. and the most weird thing is what i mentioned in the initial description. It changed privilege 15 to enable..
02-07-2019 01:58 AM
OK, thanks for sharing the ip http commands. If the suggestion didn't work can you please share the output of :
sh run | inc aaa
BTW, priv_15 *is* privileged EXEC mode. I'm not sure I understand your problem.
cheers,
Seb.
02-07-2019 02:15 AM
Hi Seb,
Maybe i didn't describe it correctly.
When i am connecting to device via ssh with my AD credentials, i have configured under VTYs privilege 15 and prompts me directly to privilege mode (SW#)
When i am trying to connect via browser and get the errors, if i try to login via ssh to device, i will be in exec mode (SW>)
How is this possible?
SW#sh run | inc aaa
aaa new-model
aaa authentication login AUTH_LIST group radius local
aaa session-id common
02-07-2019 02:35 AM
OK to use RADIUS for the HTTP authentication you need to update the default method, since you cannot specify any other method name for HTTP auth. Add the following:
! aaa authentication login default group radius local !
Regarding the issue where a failed HTTP login causes your next SSH session to initiate with a lower privilege level, I am not sure.
You would need to debug aaa authentication and see what the switch is doing with the RADIUS response.
cheers,
Seb.
02-07-2019 02:47 AM
I debugged aaa but i had not any indication about it. Authentication is successful but it prompts me in exec mode.
Maybe it's a bug in IOS, but this is something that i cannot answer.
For the http login i found the solution. The correct command for my case, where i don't use default method, is the below
ip http authentication aaa login-authentication AUTH_LIST
it works now!!
03-18-2020 08:51 AM
I have the same problem, that the https "webui" page won't recognize any credentials, local or radius. 16.3.6 on a 3850 stack. However we already had the command in place described here as a fix. New ideas?
03-19-2020 02:15 AM - edited 03-19-2020 02:56 AM
03-19-2020 02:57 AM
nothing new from my side
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: