Cisco Wireless Access point are not working after TACACS Implementation

Unanswered Question
Aug 4th, 2008

Hi,


I am unable to access the Cisco Wireless Access point using http(GUI)mode. after tacacs implementation. But i am able to access the same devices using telnet with tacacs user id.


Need some help in this...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
chaitu_kranthi Mon, 08/04/2008 - 08:54

Yes,

The command is already there


if i remove the tacacs(no aaa new-model) from the device then it is working through http also.

Farrukh Haroon Mon, 08/04/2008 - 09:06

It is ip http authentication aaa?


Can you post output of show ip http server all?


REgards


Farrukh

chaitu_kranthi Mon, 08/04/2008 - 09:38

LASAOAP1#sh ip http server all

HTTP server status: Enabled

HTTP server port: 80

HTTP server authentication method: aaa

HTTP server access class: 0

HTTP server base path: flash:/c1200-k9w7-mx.123-2.JA2/html/level/1;zflash:/c1200

-k9w7-mx.123-2.JA2/html/level/1;flash:/c1200-k9w7-mx.123-2.JA2/html/level/15;zfl

ash:/c1200-k9w7-mx.123-2.JA2/html/level/15;flash:/c1200-k9w7-mx.123-2.JA2/html;z

flash:/c1200-k9w7-mx.123-2.JA2/html;flash:

Maximum number of concurrent server connections allowed: 5

Server idle time-out: 120 seconds

Server life time-out: 120 seconds

Maximum number of requests allowed on a connection: 60

HTTP secure server capability: Present

HTTP secure server status: Disabled

HTTP secure server port: 443

HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128

-sha

HTTP secure server client authentication: Disabled

HTTP secure server trustpoint:



HTTP server application session modules:

Session module Name Handle Description

Homepage_Server 3 IOS Homepage Server

HTTP IFS Server 1 HTTP based IOS File Server

WEB_EXEC 2 HTTP based IOS EXEC Server



HTTP server current connections:

local-ipaddress:port remote-ipaddress:port in-bytes out-bytes



HTTP server statistics:

Accepted connections total: 4



HTTP server history:

local-ipaddress:port remote-ipaddress:port in-bytes out-bytes end-time

100.193.1.240:80 192.168.15.243:14879 389 191 17:16:03 08/04

100.193.1.240:80 192.168.15.243:15112 436 191 17:16:13 08/04

100.193.1.240:80 192.168.15.243:15289 4011 54809 17:18:08 08/04

100.193.1.240:80 192.168.15.243:15488 5596 55155 17:18:28 08/04

Farrukh Haroon Mon, 08/04/2008 - 10:23

Can you also show the aaa method-lists? Are you using the 'default' one for login?


show run | inc aaa


If not, you need to add that to the following command:


ip http authentication aaa ?


Regards


Farrukh

chaitu_kranthi Mon, 08/04/2008 - 20:31

Hi,


Thanks for your reply;


i have tried the command in other access point and it is working there. but now the problem for me is. with the TACACS user name & Password iam able to telnet to the device with full access but using http i am getting readonly access only.


Is somthing i have to add additionally.



Farrukh Haroon Mon, 08/04/2008 - 21:53

Please try assigning privlege level 15 to the admin users in the TACACS server.


Regards


Farrukh

chaitu_kranthi Mon, 08/04/2008 - 22:16

Hi,


the user is already having Privlege 15.the same tacacs user is having full access using telnet for the same device.

Farrukh Haroon Mon, 08/04/2008 - 22:20

Then please attach the AAA/TACACS configs from troublesome AP's CLI and the following debugs:


debug ip http authentication

debug tacacs

debug aaa authentication


Regards


Farrukh

chaitu_kranthi Tue, 08/05/2008 - 01:58

Hi,


I observed that my tacacs user is logging into the device using http but he is getting the Priv-level = 1,the user is already having the Priv-level = 15. please advise me


Aug 5 09:53:29.492: HTTP: Authentication username = 'gkc' priv-level = 1 auth-t

ype = aaa

Actions

This Discussion