Solved: 9800-L-C AAA not working for HTTPS but works for SSHv2

Eric House · ‎05-04-2026

Cisco 9800-L-C running IOS XE 17.15.5, using Cisco ISE 3.4 for TACACS+. AAA is working flawlessly for SSH authentication and authorization, good logs on both sides. When I change from local to AAA for IP HTTPS secure-server, the webgui fails to load, giving the Openresty error page. ISE logs show successful authentication and authorization entries with authorization response {Author-Reply-Status=PassAdd; AVPair=priv-lvl=15; } giving the correct privilege level 15. If a wrong password is entered, the webgui responds with a failed authentication message and returns to logon prompt. Is something acting wrong or did I miss an additional config change needed to make AAA work with the webgui?

Working local auth config:
ip http authentication local

Fails when I configure for TACACS:
aaa authentication login NAME group GROUP local
aaa authorization exec NAME group GROUP local
ip http authentication aaa login-authentication NAME
ip http authentication aaa exec-authorization NAME

TACACS debug from switch returns:
May 1 17:09:49.990: %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: USERNAME] [Source: xx.xx.xx.xx] at 12:09:49 CST Fri May 1 2026
May 1 17:09:49.991: %WEBSERVER-5-LOGIN_PASSED: Chassis 2 Login Successful from host xx.xx.xx.xx by user 'USERNAME' using crypto cipher 'TLS_AES_256_GCM_SHA384'

Failure message when trying webgui with AAA:
An error occurred.
Sorry, the page you are looking for is currently unavailable.
Please try again later.

If you are the system administrator of this resource then you should check the error log for details.

Faithfully yours, OpenResty.

Eric House · ‎05-04-2026

I appreciate everyone's help with this, I stumbled upon the issue. The ip http client source-interface needs to match the ip tacacs source-interface. I had a mismatch and it was causing the error.

View solution in original post

Mark Elsen · ‎05-04-2026

= @Eric House >....giving the Openresty error page
Can you post the content of that error page (or screenshot -e.g.)

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Eric House · ‎05-04-2026

Image attached, hopefully it sheds some light, thank you.

Mark Elsen · ‎05-04-2026

- @Eric House Can you post the output of : show run | inc ip http

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Eric House · ‎05-04-2026

HOSTNAME#sh run | inc ip http
no ip http server
ip http authentication aaa login-authentication NAME
ip http authentication aaa exec-authorization NAME
ip http secure-server
ip http tls-version TLSv1.3
ip http secure-trustpoint NGTNWLNASH.ng.ds.army.mil
ip http session-idle timeout 300
ip http client source-interface vlan###

If I replace the authentication aaa lines with local, it works with the local user.

Mark Elsen · ‎05-04-2026

- @Eric House In that screenshot is : >....you should check the error log for details
That is a link (error log) ; could you post the resulting content when pressing the link

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Eric House · ‎05-04-2026

It doesn't, it directs to https://nginx.org/en/docs/ngx_core_module.html#error_log

The logs in ISE and in the wireless controller's CLI shows the same for a successful SSH login as it does for the failing webgui login.

Mark Elsen · ‎05-04-2026

- @Eric House Add this directive to the running configuration :
privilege exec all level 0 show version
And check if that can help

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Eric House · ‎05-04-2026

No change with that addition.

Mark Elsen · ‎05-04-2026

@Eric House Then I also advice to add : (ref mentioned by @Htonieto )
debug ip http authentication
debug tacacs
debug aaa authentication
debug aaa authorization

- Also use : logging trap debugging (to increase the logging level)
You may get some live action as a result of that ; by using the command
terminal monitor when connected with SSH.
Then try the GUI through https and follow up on the output; well output :
In programs such as PuTTY you can configure a session log file ; for later review !

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Eric House · ‎05-04-2026

The additional debug and logging didn't show anything additional. The same login success log entries come up and nothing else. No indication of any ip http errors.

Htonieto · ‎05-04-2026

Hello @Eric House, just checked mine 9800, which is running 17.15.04d, the only difference is this line.

ip http authentication aaa

Also ISE response is pretty the same

Model Name	9800
Network Device Profile	Cisco
Response	{Author-Reply-Status=PassAdd; AVPair=idletime=15; AVPair=priv-lvl=15; AVPair=timeout=60; }

Do you mind to enable some debugs in the WLC and try the auth again? Please share the logs.

debug aaa authentication
debug aaa authorization
debug tacacs
debug ip http authentication

Eric House · ‎05-04-2026

Debug from switch returns:
May 1 17:09:49.990: %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: USERNAME] [Source: xx.xx.xx.xx] at 12:09:49 CST Fri May 1 2026
May 1 17:09:49.991: %WEBSERVER-5-LOGIN_PASSED: Chassis 2 Login Successful from host xx.xx.xx.xx by user 'USERNAME' using crypto cipher 'TLS_AES_256_GCM_SHA384'

aleabrahao · ‎05-04-2026

This is my authorization policy.

This is my configuration on the WLC.

ip http authentication aaa login-authentication tacacs-authe
ip http authentication aaa exec-authorization tacacs_autho

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Eric House · ‎05-04-2026

Looks the same as mine.