Solved: Http authentication, IOS 15

andre.ortega · ‎10-14-2011

Hello everybody,

I am trying configure tacacs authentication for http in Cisco 2960 with IOS 15.0.1.SE.

I have configured this commands:

aaa new-model

aaa authentication attempts login 2

aaa authentication login default group tacacs+ local-case

aaa authentication login Authen group tacacs+

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ none

aaa authorization commands 5 default group tacacs+ none

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 5 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa session-id common

ip http authentication aaa login-authentication Authen

But the device is not authenticating. It ask the credentials (user and pass) but not authenticates.

Thanks for all.

petronella71 · ‎10-31-2011

Hi Andre,

I hope that you already know it, but you can't do anything...

There is a bug and the code is CSCtq94595.

If you need http authentication with 2960 switches you need to downgrade to a version before the 12.2.58 or wait for a new release of IOS...

Regards

View solution in original post

Reza Sharifi · ‎10-14-2011

Hi Andre,

Have you enabled http server command on the switch?

global configuration command

ip http server

then verify with

sh ip http ser sta

HTH

andre.ortega · ‎10-14-2011

Hi Sharifi,

Yes, the http server is enable. Follow the commands.

ip http server

ip http authentication aaa login-authentication Authen

ip http secure-server

tacacs-server host 10.10.10.11 key xxxxxxxxxxx

show ip http server status

HTTP server status: Enabled

HTTP server port: 80

HTTP server authentication method: aaa

HTTP server access class: 0

HTTP server base path: flash:/c2960-lanbasek9-mz.150-1.SE/html

HTTP server help root:

Maximum number of concurrent server connections allowed: 16

Server idle time-out: 180 seconds

Server life time-out: 180 seconds

Maximum number of requests allowed on a connection: 25

HTTP server active session modules: ALL

HTTP secure server capability: Present

HTTP secure server status: Enabled

HTTP secure server port: 443

HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha

HTTP secure server client authentication: Disabled

HTTP secure server trustpoint:

HTTP secure server active session modules: ALL

Thanks.

Richard Burts · ‎10-14-2011

Andre

Is TACACS working for authentication when login to the router? It would help to understand whether it is some problem with TACACS or is some problem specific to the http server on the router.

Can you post the output of show tacacs?

HTH

Rick

HTH

Rick

andre.ortega · ‎10-14-2011

Tacacs is working fine.

I am using and work for telnet/ssh.

Http authentication was working with IOS 12. Now I upgrade for IOS 15 and http authentication stopped to work.

show tacacs

Tacacs+ Server - public :

Server address: 10.10.10.11

Server port: 49

Socket opens: 124

Socket closes: 124

Socket aborts: 0

Socket errors: 0

Socket Timeouts: 0

Failed Connect Attempts: 0

Total Packets Sent: 132

Total Packets Recv: 132

Regards.

petronella71 · ‎10-31-2011

Hi Andre,

I hope that you already know it, but you can't do anything...

There is a bug and the code is CSCtq94595.

If you need http authentication with 2960 switches you need to downgrade to a version before the 12.2.58 or wait for a new release of IOS...

Regards

Flavio Boniforti · ‎11-30-2011

Ciao Giacomo,

does this bug also affect 12.2.58 SE2 ? Because that's what I have on my Catalyst 2960 switches and I'm missing the http/https radius authentication (which was working before, with 12.2.55)...

Kind regards and thanks.

F.

andre.ortega · ‎10-31-2011

Thank you.