350 IOS HTTP authentication using RADIUS not TACACS

candv · ‎03-17-2004

I am trying to get "ip http authentication aaa "to a 350/1200 ios wireless access point to work using RADIUS (using ACS 3.2 and Cisco IOS/PIX RADIUS Attributes).

I can get the 350 vxworks to work by adding

"aironet:admin-capability=write+snmp+ident+firmware+admin"

to the ACS server.

I can get CLI authentication to the IOS 350 by adding

"shell:priv-lvl=15"

but am having no luck with radius authenticating.

I have been able to use tacacs+ to do ip http authentication but I want to use radius. Does anyone know where I am going wrong. When I look on the ACS server it doesn't fail (it passes authentication), it just seems like there is something weird happenning with enable level 15. I have removed the local authentication, I think I am not passing the correct attributes even though debugging does pass username etc correctly

thanks

pradeepde · ‎03-23-2004

The following are the steps I followed and its working fine for me,

On the AP

1. Setup -> security -> Authentication Server - Make sure that User Authentication is checked.

2. Setup -> security -> User Information -- Add a user

3. Setup -> security -> User Manager -- Enable user manager

On the ACS

1. Setup a group

2. Look for "Cisco IOS/PIX RADIUS Attributes" which will not show unless you have a AAA client

authenticate using the 'radius (cisco ios/pix)'

3. Check "[009\001] cisco-av-pair"

4. Add "aironet:admin-capability=write+snmp+ident+firmware+admin"

5. Add a user in that group