01-08-2024 09:03 AM - edited 01-08-2024 09:08 AM
Hello,
I've setup radius for admins to logon to our 9800 (with ISE) but when I logon to the web admin portal I cant see any admin options. Just Monitoring and Dashboard.
CLI seems fine.
This is whats setup on the 9800:
aaa new-model
aaa group server radius ISE
server name ise-1
server name ise-2
aaa authentication login default local
aaa authentication login radius-authe-method group ISE local
aaa authentication dot1x ISE group ISE
aaa authorization exec default local
aaa authorization exec radius-autho-method group ISE
radius server ise-1
address ipv4 10.52.7.106 auth-port 1812 acct-port 1813
key password
!
radius server ise-2
address ipv4 10.52.7.104 auth-port 1812 acct-port 1813
key password
line con 0
logging synchronous
stopbits 1
line vty 0 4
authorization exec radius-autho-method
login authentication radius-authe-method
transport input ssh
line vty 5 15
authorization exec radius-autho-method
login authentication radius-authe-method
transport input ssh
line vty 16 50
transport input ssh
ip http authentication aaa login-authentication radius-authe-method
ip http authentication aaa exec-authorization radius-autho-method
ISE has this on the profile:
Access Type = ACCESS_ACCEPT
cisco-av-pair = shell:priv-lvl=15
Solved! Go to Solution.
01-09-2024 12:51 AM
Hi All,
Its fixed!!
So in ISE there are two options that look the same:
This one doesnt work (guest should have given it away):
This one does work:
01-08-2024 09:29 AM
That config looks ok to me, do you want to try to remove the following lines? you have already VTY covered so shouldn't be a problem.
aaa authentication login default local
aaa authorization exec default local
01-08-2024 09:38 AM
Thanks for getting back to me, I did
no aaa authentication login default local
no aaa authorization exec default local
Then logged on but had the same
.
I do see this on the console:
01-08-2024 09:50 AM
show user
check the user appear in which VTY line
also can you confirm that that you access WLC via ISE user or access WLC via Local user
I know it hard if you use same username in both ISE and local but you can add privilege 15 to local username and hence you can full access to WLC if you use ISE or local.
MHM
01-08-2024 10:01 AM
aaa authorization exec radius-autho-method group ISE LOCAL
you need also to add LOCAL to end of authz
MHM
01-08-2024 10:10 AM
Hi,
Thanks for the help.
I cant logon with the local 9800 admin account anymore.
Show users shows
9800#sh users
Line User Host(s) Idle Location
* 1 vty 0 robd idle 00:00:00 laptop.domain.com
I'm using domain auth so using my domain admin to logon to ise which is ok, shows a successful auth in ISE.
Is there config missing here for http:
line vty 0 4
authorization exec radius-autho-method
login authentication radius-authe-method
transport input ssh
01-08-2024 10:27 AM
I dislike deal with authc and authz of Cisco
so you still can access to WLC ? via VTY SSH ?
MHM
01-08-2024 10:41 AM
I can logon via ssh with my domain account and get to config.
Just the web gui that doesn't work. I could log a tac.
01-08-2024 11:07 AM
debug radius
can you check by debug if radius return the AV priv 15 or not ?
MHM
01-08-2024 10:30 AM
- Not related to your original post but regarding to the console message :
%SYS-5-CONFIG_P: Configured programmatically by process SE_webui_wsma_http from console as ...
Take care and note : https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webui-cmdij-FzZAeXAy
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe12578
M.
01-09-2024 12:51 AM
Hi All,
Its fixed!!
So in ISE there are two options that look the same:
This one doesnt work (guest should have given it away):
This one does work:
01-09-2024 01:58 AM
thanks a lot for update us
glad the issue solved
have a nice day
MHM
01-09-2024 02:53 AM
Thanks for all your help, really appreciate it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide