Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
861
Views
0
Helpful
2
Replies

TACACS Authorization of Web Interface on Aironet 1200 AP

jeff-krauss
Level 1
Level 1

‎09-07-2005 05:20 PM - edited ‎07-04-2021 11:06 AM

I have the Aironet 1200 AP setup to authenticate and perform authorization for the CLI via TACACS. That is working fine.

However, the web interface is failing "ip http authentication". (Slight caveat - it works for a local user in the local AP DB - it does not work when it goes to CiscoSecure ACS to authenticate/authorize).

I can get to some pages (prompt and pass authentication), but certain pages (e.g. Services>>SNMP) where configuration steps are taken cause a second prompt is presented, username and password is provided, and it fails.

This is only evident from the output of a "debug ip http authentication"

What do I need to configure in ACS to make this work?

Relevant portion of config:

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

no ip http server

ip http authentication aaa

ip http secure-server

Sep 7 13:40:59.885: HTTP AAA picking up console Login-Authentication List name: default

Sep 7 13:40:59.885: HTTP AAA picking up console Exec-Authorization List name: default

Sep 7 13:40:59.909: HTTP: Authentication failed for level 15

Sep 7 13:41:06.757: HTTP AAA picking up console Login-Authentication List name: default

Sep 7 13:41:06.757: HTTP AAA picking up console Exec-Authorization List name: default

Sep 7 13:41:06.780: HTTP: Authentication failed for level 15

This document appears to describe a scenario similar to mine, but is for http - not HTTPS:

Local Authentication for HTTP Server Users

http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a0080178a51.shtml#tac-win

Any ideas what I may be missing here?

Thanks,

Jeff

Labels:
0 Helpful
2 Replies 2

thomas.chen
Level 6
Level 6

‎09-13-2005 10:42 AM

TACACS with GUI (web interface) will not work. This is a known issue. There is no fix for this one to my knowledge. The only work around to this is to use a local database. Hope this helps.

0 Helpful

jeff-krauss
Level 1
Level 1
In response to thomas.chen

‎09-26-2005 09:31 AM

I found the answer was to use a more specific "ip http authentication" statement. Specifically,it required the following:

CiscoSecure ACS:

Group Settings

Shell (exec)

Priv Level = 15

On the AP:

had to enable:

ip http authentication aaa login-authentication AP_Web (Named Method List)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card