IOS Configuration for HTTP(S) AAA (SDM)

Unanswered Question
Jan 25th, 2008

I'm having trouble getting the internal HTTPS server to use AAA for authentication. I have a working AAA setup for VTY access using TACACS+ but I can't seem to get HTTPS to work.

aaa new-model

aaa authentication login console none

aaa authentication login netauth group tacacs+ local

aaa authorization exec default none

aaa accounting delay-start

aaa accounting exec netacc start-stop group tacacs+

aaa accounting commands 15 netacc stop-only group tacacs+

aaa accounting connection netacc start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common


no ip http server

ip http access-class 99

ip http authentication aaa login-authentication netauth

ip http secure-server

The only "aaa authorization" line was added during troubleshooting. I don't use authorization.

TACACS is working fine and ACL 99 permits my source IP. A debug of ip http auth gives me this after entering my credentials:

095897: Jan 25 10:35:18.262 CST: HTTP AAA Login-Authentication List name: netauth

095898: Jan 25 10:35:18.262 CST: HTTP AAA picking up Exec-Authorization List name: default

095899: Jan 25 10:35:18.302 CST: HTTP: Authentication failed for level 15

I tried both a valid userid/passwd configured on the TACACS server as well as a local userid/passwd on the router (I use 'local' as a backup to TACACS). The TACACS server logs show a successful auth attempt. The router in question is running 12.4(15)T2 but I've run into this problem on numerous 12.4 and 12.3 releases for years.

I've run into this dozens of times in as many networks. I've never found a solution other than to use local auth and forget AAA. What am I missing?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Fri, 01/25/2008 - 10:53

For Http access you need to have priv 15 defined for that user. And add authorization command

aaa authorization exec defult tacacs if-authenticated

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field



Do rate helpful posts

Justin Shore Fri, 01/25/2008 - 11:43


Thanks for the reply. We don't use ACS here. We use an open-source TACACS+ server. So besides authentication the IOS HTTPS server requires authorization as well?



jeff-nelson Thu, 04/24/2008 - 06:24

I had the exact same problem with HTTP login when trying to use the Cisco SDM v2.5 installation. The AAA and IP HTTP server information at this link was very helpful:

In my environment, by adding the following I was able to get the SDM to login using AAA an d TACACS:

aaa authorization exec default group tacacs+ local

ip http authentication aaa login-authentication default

-- Jeff


This Discussion