I'm having trouble getting the internal HTTPS server to use AAA for authentication. I have a working AAA setup for VTY access using TACACS+ but I can't seem to get HTTPS to work.
aaa authentication login console none
aaa authentication login netauth group tacacs+ local
aaa authorization exec default none
aaa accounting delay-start
aaa accounting exec netacc start-stop group tacacs+
aaa accounting commands 15 netacc stop-only group tacacs+
aaa accounting connection netacc start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
no ip http server
ip http access-class 99
ip http authentication aaa login-authentication netauth
ip http secure-server
The only "aaa authorization" line was added during troubleshooting. I don't use authorization.
TACACS is working fine and ACL 99 permits my source IP. A debug of ip http auth gives me this after entering my credentials:
095897: Jan 25 10:35:18.262 CST: HTTP AAA Login-Authentication List name: netauth
095898: Jan 25 10:35:18.262 CST: HTTP AAA picking up Exec-Authorization List name: default
095899: Jan 25 10:35:18.302 CST: HTTP: Authentication failed for level 15
I tried both a valid userid/passwd configured on the TACACS server as well as a local userid/passwd on the router (I use 'local' as a backup to TACACS). The TACACS server logs show a successful auth attempt. The router in question is running 12.4(15)T2 but I've run into this problem on numerous 12.4 and 12.3 releases for years.
I've run into this dozens of times in as many networks. I've never found a solution other than to use local auth and forget AAA. What am I missing?