Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
915
Views
2
Helpful
17
Replies

9800-L-C AAA not working for HTTPS but works for SSHv2

Go to solution
Eric House
Level 1
Level 1

‎05-04-2026 09:12 AM

Cisco 9800-L-C running IOS XE 17.15.5, using Cisco ISE 3.4 for TACACS+. AAA is working flawlessly for SSH authentication and authorization, good logs on both sides. When I change from local to AAA for IP HTTPS secure-server, the webgui fails to load, giving the Openresty error page. ISE logs show successful authentication and authorization entries with authorization response {Author-Reply-Status=PassAdd; AVPair=priv-lvl=15; } giving the correct privilege level 15. If a wrong password is entered, the webgui responds with a failed authentication message and returns to logon prompt. Is something acting wrong or did I miss an additional config change needed to make AAA work with the webgui?

Working local auth config:
ip http authentication local

Fails when I configure for TACACS:
aaa authentication login NAME group GROUP local
aaa authorization exec NAME group GROUP local
ip http authentication aaa login-authentication NAME
ip http authentication aaa exec-authorization NAME

TACACS debug from switch returns:
May 1 17:09:49.990: %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: USERNAME] [Source: xx.xx.xx.xx] at 12:09:49 CST Fri May 1 2026
May 1 17:09:49.991: %WEBSERVER-5-LOGIN_PASSED: Chassis 2 Login Successful from host xx.xx.xx.xx by user 'USERNAME' using crypto cipher 'TLS_AES_256_GCM_SHA384'

Failure message when trying webgui with AAA:
An error occurred.
Sorry, the page you are looking for is currently unavailable.
Please try again later.

If you are the system administrator of this resource then you should check the error log for details.

Faithfully yours, OpenResty.

0 Helpful
17 Replies 17

Go to solution
aleabrahao
Meraki Community All-Star
Meraki Community All-Star
In response to Eric House

‎05-04-2026 10:54 AM

Have you checked the logs in ISE to see the reason for the failure?

I would start there in your place; the logs are much more intuitive than those in the WLC.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Helpful

Go to solution
Eric House
Level 1
Level 1
In response to aleabrahao

‎05-04-2026 11:02 AM

The ISE logs show no failure, SSH and webgui logins show the same success logs.

0 Helpful

Go to solution
Eric House
Level 1
Level 1

‎05-04-2026 11:15 AM

I appreciate everyone's help with this, I stumbled upon the issue. The ip http client source-interface needs to match the ip tacacs source-interface. I had a mismatch and it was causing the error.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card