cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
527
Views
0
Helpful
3
Replies

AAA bug in IOS 12.3(2)JA and JA2 ?

s.fasel
Level 1
Level 1

I think there is a bug in IOS 12.3(2)JA and 12.3(2)JA2.

That is with http/https authentication.

This is my aaa configuration:

aaa new-model

!

!

aaa group server radius rad_adm

server xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646

!

aaa authentication login default group radius line

aaa authentication login console line

aaa authorization exec default group radius if-authenticated

aaa accounting exec default start-stop group rad_adm

aaa session-id common

and my http and radius configuration:

ip http server

ip http authentication aaa

radius-server attribute 32 include-in-access-req format %h

radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 key 7 yyyyyyyyyyyyyy

radius-server vsa send accounting

when I want to access to my AP via http, the login is refused and the AP logs:

Feb 15 08:14:19.612: AAA/AUTHEN/LOGIN (00000000): Pick method list 'console'

Feb 15 08:14:19.613: AAA/AUTHEN/LINE(00000000): FAIL Line password not found

the http authentication must use the aaa "default method"(via radius), but it uses the "console method".

on the AP with the IOS 12.2(8)JA and the same configuration, the http(s) authentication works correctly.

I have tried with tacacs, but it's the same result. The http authentication works only with a local authentication.

Anyone knows this bug?

Sam

3 Replies 3

gwcrook
Level 1
Level 1

We now use local autentication because of the load euther radius or tacacs authentication places on the AAA server.

The following is the aaa lines for tacacs although you could modify for radius.

aaa group server tacacs+ tac_admin

server 10.2.57.82

server 10.2.57.88

aaa authentication login default group tac_admin local

aaa authentication enable default group tacacs+ none

aaa authorization exec default group tacacs+ if-authenticated local

The following is the http line for local authen

ip http server

ip http authentication local

The following is the http line for tacacs authen in our case

ip http server

ip http authentication local

This is working with 12.2(15)JA and 12.3(2)JA

We do not give aaa a chance to choose console, only default, although I have not tried it you should be able to force aaa to use the default method by altering your command to

ip http authetication aaa default

(I am not at work and do not have an AP to try this on)

Good Luck -- Post your results -- Gerry

thank you Gerry for your help

I'm on holiday until February 28, therefore I would try these commands afterward.

thanks

Sam

Hello Gerry,

I have tried to use your commands with radius and that's working.

But I have always the same problem if I use these two commands in same time:

aaa authentication login default group radius line

aaa authentication login console line

when I want to access to my AP via http, the login is refused and the AP logs:

Feb 15 08:14:19.612: AAA/AUTHEN/LOGIN (00000000): Pick method list 'console'

Feb 15 08:14:19.613: AAA/AUTHEN/LINE(00000000): FAIL Line password not found

the http authentication must use the aaa "default method"(via radius), but it uses the "console method" by default.

Sam

Review Cisco Networking for a $25 gift card