07-30-2007 04:28 AM - edited 03-05-2019 05:34 PM
Not sure if this is the right forum for this or not.
I have sucessfully set up a switch to authenticate against an AD group for telnet login, then use an enable password shared by the three people in the group.
I'd like to setup ip http server the same way, but can't seem to get it to work. I used "ip http authentication aaa", but no dice, as I do not have a local aaa.
Any advice is greatly appreciated!
Solved! Go to Solution.
07-31-2007 02:41 AM
HTTP Authentication requires Level-15 privileges so the user needs to have this by default. You can achieve this by passing a Cisco-AV-Pair from the Radius Server to the IOS device. The Cisco-AV-Pair is sent as a string as part of the Authentication Accept, for Level-15 privilege this is:
shell:priv-lvl=15
Bear in mind that if you use the same authentication method for telnet or SSH then your uses will automatically be at Level-15 privilege level.
I use this with MS IAS and have two polices defined that check for Windows Group Membership, one Group have Level-15 access, the others don't.
HTH
Andy
07-30-2007 04:40 AM
post your current AAA config sections.
07-30-2007 04:45 AM
Please paste the device config. Also let us know where is the radius server located.
-amit singh
07-30-2007 04:54 AM
07-30-2007 05:37 AM
This link might help
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
Narayan
please rate all posts
07-30-2007 06:42 AM
OK, looks good. I am going to make a couple of assumptions here:
I have updated the 3560 I'm using for test to the latest IOS available for it (12.2.25-SEE4)
so I am going to follow the "HTTP V1.1 Server - Before Cisco Bug ID CSCeb82510"
and do this:
aaa new-model
aaa authentication login CONSOLEandHTTP radius local
aaa authorization exec CONSOLEandHTTP radius local
!
ip http authentication aaa
!
line con 0
login authentication CONSOLEandHTTP
authorization exec CONSOLEandHTTP
Where "CONSOLEandHTTP" is replaced by my TRAuthList.
Does this sound correct? Fortunately this is a test switch sitting in my office, so I'm unconcerned if I have to wipe it. :)
Thanks
07-30-2007 07:04 AM
07-31-2007 02:41 AM
HTTP Authentication requires Level-15 privileges so the user needs to have this by default. You can achieve this by passing a Cisco-AV-Pair from the Radius Server to the IOS device. The Cisco-AV-Pair is sent as a string as part of the Authentication Accept, for Level-15 privilege this is:
shell:priv-lvl=15
Bear in mind that if you use the same authentication method for telnet or SSH then your uses will automatically be at Level-15 privilege level.
I use this with MS IAS and have two polices defined that check for Windows Group Membership, one Group have Level-15 access, the others don't.
HTH
Andy
07-31-2007 03:19 AM
ding ding ding.
That did the trick. I almost thought it hadn't, then realized I had gone back to ip http authentication enable. Changed it back to triple-a, and bingo.
Ultimately my config turned out as attached.
Very helpful.
I'd be curious how you have your groups and access levels configured, as I would still like to be able to give the help-desk folks the ability to check port configs for vlan access, speed/duplex settings, etc.
Thanks very much to all for your help.
07-31-2007 03:59 AM
I don't think it's possible to have different privilege levels with HTTP Authentication. You could probably do it with AAA Authorisation but you would need ACS and then command-sets associated with users/groups. I have never configured this though, however it looks like there are commands available in IOS (for a 3550 I have at least) for this:
switch(config)#ip http authentication aaa ?
command-authorization Set method list for command authorization
exec-authorization Set method list for exec authorization
login-authentication Set method list for login authentication
Andy
07-31-2007 04:50 AM
No, I don't think with HTTP there's any choice. But an ability to at least get them telnet access to basic information would be good.
I've looked at those commands some, but haven't played with them yet.
07-31-2007 10:55 AM
Hi,
If you are looking for an ablity to make user issue some specific commands then you need to use tacacs instead of radius.
With tacacs /acs you have control what commands can any user issue and will give you total control on users.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/c.htm#wp697557
Regards,
~JG
08-04-2007 02:03 PM
How did you configure the shell:priv-lvl=15 to IAS?
Thanks
08-06-2007 04:48 AM
08-06-2007 04:59 AM
Wow. Cal, that is a really nice guide.
Once the fine folks here pointed me in the right direction, I went to IAS, highlighted remote access policies.
rightclicked my policy (in my case, ciscoauth) and hit properties.
Went to edit profile, then the "advanced" tab.
Add/ Cisco-AV-Pair, and under attribute values hit add, and shell:priv-lvl=15.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide