AAA authentication when logging into the router via the web browser

Unanswered Question
Feb 25th, 2007

Hi group,

I am trying to get access the a cisco 2621 via http and authentication

via AAA but there is something I am not quite understand.

I am using the freeware TACACS+ server running on RedHat Linux

Enterprise Server 3.0. I setup the TACACS+ account for myself with

enable privilege on the TACACS+ box. This account, let call it,

ddt123, can telnet/ssh into the IOS router and the enable secret

is associated with this account as setup in TACACS+.

Here is my configuration looks like on the TACACS+ file:

[[email protected] tacacs]# more tac_plus.cfg

accounting file = /var/log/tac_plus.log

key = zFgGkIooIsZ.Q

user = ddt123 {

member = admin

name = "ddt 123"

login = cleartext "exec123"

}

user = $ddt123$ {

member = admin

name = "ddt 123"

login = cleartext "privi123"

}

group = admin {

default service = permit

}

[[email protected] tacacs]#

Here is my configuration on the IOS device:

aaa authentication login notac none

aaa authentication login VTY group tacacs+ local

aaa authentication login web local enable

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization config-commands

aaa authorization exec notac none

aaa authorization exec VTY group tacacs+ if-authenticated none

aaa authorization commands 0 VTY group tacacs+ if-authenticated none

aaa authorization commands 1 VTY group tacacs+ if-authenticated none

aaa authorization commands 15 VTY group tacacs+ if-authenticated none

aaa authorization network VTY group tacacs+ if-authenticated none

aaa accounting exec VTY start-stop group tacacs+

aaa accounting commands 0 VTY start-stop group tacacs+

aaa accounting commands 1 VTY start-stop group tacacs+

aaa accounting commands 15 VTY start-stop group tacacs+

aaa accounting network VTY start-stop group tacacs+

aaa accounting connection VTY start-stop group tacacs+

tacacs-server host 192.168.15.10 key ***

ip http server

ip http authentication aaa login-authentication VTY

line con 0

exec-timeout 0 0

authorization exec notac

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

logging synchronous

login authentication notac

line vty 0 15

exec-timeout 0 0

authorization commands 0 VTY

authorization commands 1 VTY

authorization commands 15 VTY

authorization exec VTY

accounting commands 0 VTY

accounting commands 1 VTY

accounting commands 15 VTY

accounting exec VTY

login authentication VTY

----

The question I have is that when I open the browser and enter http://router_IP_address,

the it prompts me for authetication, which password should I use, "exec123" or "privi123"?

Can someone explain to me how this work, and if it works at all? Thanks.

David

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
daviddtran Sun, 02/25/2007 - 15:23

here is the "debug aaa authen" and "debug aaa author" on the router:

C2621#term mon

C2621#

Feb 25 23:11:33.967 UTC: AAA/AUTHOR/TAC+: (3081244823): send AV cmd-arg=monitor

Feb 25 23:11:33.971 UTC: AAA/AUTHOR/TAC+: (3081244823): send AV cmd-arg=

Feb 25 23:11:34.183 UTC: TAC+: (-1213722473): received author response status = PASS_ADD

Feb 25 23:11:34.187 UTC: AAA/AUTHOR (3081244823): Post authorization status = PASS_ADD

Feb 25 23:11:34.187 UTC: AAA/MEMORY: free_user (0x8276F8AC) user='ddt123' ruser='C2621' port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 vrf= (id=0)

Feb 25 2007 23:11:36 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(24127), 1 packet

Feb 25 2007 23:11:38 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(14840), 1 packet

Feb 25 23:11:39.248 UTC: AAA/AUTHEN/LOGIN (00000000): Pick method list 'VTY'

Feb 25 23:11:39.268 UTC: AAA/AUTHOR (00000000): Method=None for method list id=A0000003. Skip author

Feb 25 2007 23:11:40 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(36781), 1 packet

Feb 25 2007 23:11:41 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted udp 192.168.4.10(2537) -> 192.168.15.1(161), 1 packet

Feb 25 23:11:42.553 UTC: AAA/AUTHEN/LOGIN (00000000): Pick method list 'VTY'

Feb 25 2007 23:11:43 UTC: %SEC-6-IPACCESSLOGP: list 111 permitted tcp 192.168.15.10(49) -> 192.168.15.1(19535), 1 packetu

All possible debugging has been turned off

C2621#

Feb 25 23:11:46.552 UTC: AAA: parse name=tty66 idb type=-1 tty=-1

Feb 25 23:11:46.552 UTC: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channel=0

Feb 25 23:11:46.552 UTC: AAA/MEMORY: create_user (0x8276AD88) user='ddt123' ruser='C2621' ds0=0 port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 initial_task_id='0', vrf= (id=0)

Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): Port='tty66' list='VTY' service=CMD

Feb 25 23:11:46.556 UTC: AAA/AUTHOR/CMD: tty66(1541751897) user='ddt123'

Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV service=shell

Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd=undebug

Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd-arg=all

Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): send AV cmd-arg=

Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): found list "VTY"

Feb 25 23:11:46.556 UTC: tty66 AAA/AUTHOR/CMD(1541751897): Method=tacacs+ (tacacs+)

Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): user=ddt123

Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV service=shell

Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd=undebug

Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd-arg=all

Feb 25 23:11:46.560 UTC: AAA/AUTHOR/TAC+: (1541751897): send AV cmd-arg=

Feb 25 23:11:46.768 UTC: TAC+: (1541751897): received author response status = PASS_ADD

Feb 25 23:11:46.772 UTC: AAA/AUTHOR (1541751897): Post authorization status = PASS_ADD

Feb 25 23:11:46.772 UTC: AAA/MEMORY: free_user (0x8276AD88) user='ddt123' ruser='C2621' port='tty66' rem_addr='192.168.15.1' authen_type=ASCII service=NONE priv=0 vrf= (id=0)no

Feb 25 2007 23:11:47 UTC: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 976 packets

C2621#

David

Vivek Santuka Mon, 02/26/2007 - 02:52

Hi David,

Login to http requires privilege level 15.

You will need to add the following in the user's profile :-

service = exec {

priv-lvl = 15

}

Regards,

Vivek

daviddtran Mon, 02/26/2007 - 08:00

Hi Vivek,

Here is my config of the TACACS+ file:

user = cciesec {

member = admin

name = "ccie security"

login = cleartext "123456"

service = exec { priv-lvl = 15 }

expires = "Dec 31 2007"

}

user = $cciesec$ {

member = admin

name = "ccie security"

global = cleartext "cciesec1"

service = exec { priv-lvl = 15 }

expires = "Dec 31 2007"

}

group = admin {

default service = permit

}

I now can http://router-IP and login with

cciesec account but I have to use the "exec"

password. In other words, it works with

"123456" but NOT "cciesec1". Worse, I now

can telnet/ssh into the router and when I

issue "cciesec/123456" and it takes directly

into "enable" mode.

What I would like to accomplish is to have

user cciesec logging into the router via the

web browser but he has to use the password

"cciesec1" because that is his unique enable

password. Furthermore, when cciesec telnet

or ssh into the router, I want him to be able

to login as "cciesec/123456" and that will

take him on the "exec" prompt. After that,

cciesec has to use "cciesec1" to go into

privilege mode. Is that doable?

One other thing, when I use cciesec to log

into the router via the browser, I am not

seeing in the tacacs log. How do I enable

accounting for user(s) logging into the

router via the browser.

Thanks.

David

Vivek Santuka Tue, 02/27/2007 - 07:31

Hi,

Http connection requires level 15 login. Which means you will have to push the priv-lvl attribute. HTTP authentication will never prompt for the enable password.

Also when you push the priv-lvl 15 it will effect the shell by allowing users directly into the privilege mode.

There is no workaround that I can think of.

Also as far as I know we cannot account for http sessions.

Regards,

Vivek

daviddtran Tue, 02/27/2007 - 07:48

Vivek,

I don't quite understand. If I can log into

the router via http but I can not get accounting

of what user(s) do via http, where is the

accounting piece? Isn't that a security risk?

Should cisco fix this?

Thanks

David

Actions

This Discussion