Here we go.

Thanks for the help.

This link might help

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml

Narayan

please rate all posts

OK, looks good. I am going to make a couple of assumptions here:

I have updated the 3560 I'm using for test to the latest IOS available for it (12.2.25-SEE4)

so I am going to follow the "HTTP V1.1 Server - Before Cisco Bug ID CSCeb82510"

and do this:

aaa new-model

aaa authentication login CONSOLEandHTTP radius local

aaa authorization exec CONSOLEandHTTP radius local

!

ip http authentication aaa

!

line con 0

login authentication CONSOLEandHTTP

authorization exec CONSOLEandHTTP

Where "CONSOLEandHTTP" is replaced by my TRAuthList.

Does this sound correct? Fortunately this is a test switch sitting in my office, so I'm unconcerned if I have to wipe it. :)

Thanks

OK, I tried what I said above.

I'm still failing on http, but think I'm very very close. I attached the debug I did on ip http, and an updated config.

Many thanks for all the help on what is really a not-very-important issue, but helps me enormously locally.

ding ding ding.

That did the trick. I almost thought it hadn't, then realized I had gone back to ip http authentication enable. Changed it back to triple-a, and bingo.

Ultimately my config turned out as attached.

Very helpful.

I'd be curious how you have your groups and access levels configured, as I would still like to be able to give the help-desk folks the ability to check port configs for vlan access, speed/duplex settings, etc.

Thanks very much to all for your help.

I don't think it's possible to have different privilege levels with HTTP Authentication. You could probably do it with AAA Authorisation but you would need ACS and then command-sets associated with users/groups. I have never configured this though, however it looks like there are commands available in IOS (for a 3550 I have at least) for this:

switch(config)#ip http authentication aaa ?

command-authorization Set method list for command authorization

exec-authorization Set method list for exec authorization

login-authentication Set method list for login authentication

Andy

No, I don't think with HTTP there's any choice. But an ability to at least get them telnet access to basic information would be good.

I've looked at those commands some, but haven't played with them yet.

Hi,

If you are looking for an ablity to make user issue some specific commands then you need to use tacacs instead of radius.

With tacacs /acs you have control what commands can any user issue and will give you total control on users.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/c.htm#wp697557

Regards,

~JG

How did you configure the shell:priv-lvl=15 to IAS?

Thanks

Hi,

Check out this attachment. It explains all about your query.

Regards,

~JG

Wow. Cal, that is a really nice guide.

Once the fine folks here pointed me in the right direction, I went to IAS, highlighted remote access policies.

rightclicked my policy (in my case, ciscoauth) and hit properties.

Went to edit profile, then the "advanced" tab.

Add/ Cisco-AV-Pair, and under attribute values hit add, and shell:priv-lvl=15.

HTH