12-07-2017 03:42 AM - edited 03-08-2019 01:01 PM
Hi all - having difficulty in getting TACACS to authorise logins from HTTP.
I have configured TACACS using the new commands, which has worked fine for CLI logins since day 1. I assumed that in order to enable the same authentication methods for the HTTP server, I would simply have to configure the command "ip http authentication aaa" when configuring the HTTP server. However, this hasnt worked and in fact doesnt allow me to login to the switch at all via the HTTP page, unless I remove that config line, so that it defaults back to enable login.
Here is my TACACS and HTTP config:
aaa new-model aaa group server tacacs+ llacs server name llacs-server ip tacacs source-interface Vlan10 ! aaa authentication login default group llacs local aaa authentication enable default group llacs enable none aaa accounting commands 5 default start-stop group llacs aaa session-id common ! tacacs server llacs-server address ipv4 1x.x.x.x key tacacskey ! ip http server ip http authentication aaa ip http secure-server
When trying to login via the HTTP interface, nothing works, unless I remove the "ip http authentication aaa" line.
How come it works fine for CLI, but doesnt for HTTP? Doesnt make sense!
Any help appreciated.
Thanks :)
12-07-2017 05:19 AM
Hello,
which IOS version are you running ? There is a bug in the older 12.2(58)SE and 12.2.58S, which has been fixed in 15.0(1)SE1.
Either way, is this the full config ? I think you also need the following:
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default
12-07-2017 05:40 AM - edited 12-07-2017 05:40 AM
It's an almost brand new switch - running 2960-X version 15.2(2)E6.
I added those commands - thought I may have been missing something. However, they havent helped! Still unable to login with the http authentication configured.
Interestingly, IOS took the command 'ip http authentication aaa login-authentication default' without difficulty, but when issuing the command 'ip http authentication aaa exec-authorization default' it gave the following message:
"Warning: Authorization list "default" is not defined for EXEC."
Not entirely sure what that means!
12-07-2017 05:53 AM
Hello,
the commands:
ip http authentication aaa exec-authorization default
aaa authorization exec default group llacs local
go together. Try and add the 'aaa authorization exec default group llacs local' line first and then the 'ip http authentication aaa exec-authorization default'...
12-07-2017 07:41 AM
I'm a little confused....
So I have this command already configured:
aaa authorization exec default group llacs local
And then I configured this:
ip http authentication aaa exec-authorization default
It doesnt work.
Are you saying I need to add them in a different order? That doesnt sound right to me.... AAA/TACACS is working fine for the CLI, so why would it matter what order I add the HTTP commands in?
12-07-2017 07:53 AM
Hello,
what do you have configured now, after adding my suggestions ?
That said, are you trying http or https ?
12-07-2017 08:21 AM - edited 12-07-2017 08:27 AM
I've tried both HTTP and HTTPS - same issue.
Current config is this:
aaa new-model aaa group server tacacs+ llacs server name llacs-server ip tacacs source-interface Vlan10 ! aaa authentication login default group llacs local aaa authentication enable default group llacs enable none aaa accounting commands 5 default start-stop group llacs aaa session-id common ! aaa group server tacacs+ llacs server name llacs-server ip tacacs source-interface Vlan10 ! tacacs server llacs-server address ipv4 x.x.x.x key tacacskey ! ip http server ip http authentication aaa login-authentication default ip http authentication aaa exec-authorization default ip http secure-server
12-07-2017 08:32 AM
Just realised your post said to config the AAA authorization commands - doh!
I've added that config as below, but still not working :(
aaa authorization exec default group llacs local
12-07-2017 08:58 AM
Hello,
something is missing. Can you post the full configuration of the switch ? Also, what is the output of 'show crypto key' ? You might want to zeroize whatever key is in there and create a new one...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide