cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1223
Views
0
Helpful
4
Replies

IOS Configuration for HTTP(S) AAA (SDM)

Justin Shore
Level 1
Level 1

I'm having trouble getting the internal HTTPS server to use AAA for authentication. I have a working AAA setup for VTY access using TACACS+ but I can't seem to get HTTPS to work.

aaa new-model

aaa authentication login console none

aaa authentication login netauth group tacacs+ local

aaa authorization exec default none

aaa accounting delay-start

aaa accounting exec netacc start-stop group tacacs+

aaa accounting commands 15 netacc stop-only group tacacs+

aaa accounting connection netacc start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

!

no ip http server

ip http access-class 99

ip http authentication aaa login-authentication netauth

ip http secure-server

The only "aaa authorization" line was added during troubleshooting. I don't use authorization.

TACACS is working fine and ACL 99 permits my source IP. A debug of ip http auth gives me this after entering my credentials:

095897: Jan 25 10:35:18.262 CST: HTTP AAA Login-Authentication List name: netauth

095898: Jan 25 10:35:18.262 CST: HTTP AAA picking up Exec-Authorization List name: default

095899: Jan 25 10:35:18.302 CST: HTTP: Authentication failed for level 15

I tried both a valid userid/passwd configured on the TACACS server as well as a local userid/passwd on the router (I use 'local' as a backup to TACACS). The TACACS server logs show a successful auth attempt. The router in question is running 12.4(15)T2 but I've run into this problem on numerous 12.4 and 12.3 releases for years.

I've run into this dozens of times in as many networks. I've never found a solution other than to use local auth and forget AAA. What am I missing?

Thanks

Justin

4 Replies 4

Jagdeep Gambhir
Level 10
Level 10

For Http access you need to have priv 15 defined for that user. And add authorization command

aaa authorization exec defult tacacs if-authenticated

Bring users/groups in at level 15

1. Go to user or group setup in ACS

2. Drop down to "TACACS+ Settings"

3. Place a check in "Shell (Exec)"

4. Place a check in "Privilege level" and enter "15" in the adjacent field

Regards,

~JG

Do rate helpful posts

JG,

Thanks for the reply. We don't use ACS here. We use an open-source TACACS+ server. So besides authentication the IOS HTTPS server requires authorization as well?

Thanks

Justin

Yes, need authorization also. Priv lvl falls under authorization head.

Regards,

~JG

I had the exact same problem with HTTP login when trying to use the Cisco SDM v2.5 installation. The AAA and IP HTTP server information at this link was very helpful:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml

In my environment, by adding the following I was able to get the SDM to login using AAA an d TACACS:

aaa authorization exec default group tacacs+ local

ip http authentication aaa login-authentication default

-- Jeff

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: