Cisco Wireless Access point are not working after TACACS Implementation

Unanswered Question
Aug 4th, 2008
User Badges:


I am unable to access the Cisco Wireless Access point using http(GUI)mode. after tacacs implementation. But i am able to access the same devices using telnet with tacacs user id.

Need some help in this...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Mon, 08/04/2008 - 08:49
User Badges:
  • Red, 2250 points or more

Look at the 'ip http authentication' command.



chaitu_kranthi Mon, 08/04/2008 - 08:54
User Badges:


The command is already there

if i remove the tacacs(no aaa new-model) from the device then it is working through http also.

Farrukh Haroon Mon, 08/04/2008 - 09:06
User Badges:
  • Red, 2250 points or more

It is ip http authentication aaa?

Can you post output of show ip http server all?



chaitu_kranthi Mon, 08/04/2008 - 09:38
User Badges:

LASAOAP1#sh ip http server all

HTTP server status: Enabled

HTTP server port: 80

HTTP server authentication method: aaa

HTTP server access class: 0

HTTP server base path: flash:/c1200-k9w7-mx.123-2.JA2/html/level/1;zflash:/c1200




Maximum number of concurrent server connections allowed: 5

Server idle time-out: 120 seconds

Server life time-out: 120 seconds

Maximum number of requests allowed on a connection: 60

HTTP secure server capability: Present

HTTP secure server status: Disabled

HTTP secure server port: 443

HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128


HTTP secure server client authentication: Disabled

HTTP secure server trustpoint:

HTTP server application session modules:

Session module Name Handle Description

Homepage_Server 3 IOS Homepage Server

HTTP IFS Server 1 HTTP based IOS File Server


HTTP server current connections:

local-ipaddress:port remote-ipaddress:port in-bytes out-bytes

HTTP server statistics:

Accepted connections total: 4

HTTP server history:

local-ipaddress:port remote-ipaddress:port in-bytes out-bytes end-time 389 191 17:16:03 08/04 436 191 17:16:13 08/04 4011 54809 17:18:08 08/04 5596 55155 17:18:28 08/04

Farrukh Haroon Mon, 08/04/2008 - 10:23
User Badges:
  • Red, 2250 points or more

Can you also show the aaa method-lists? Are you using the 'default' one for login?

show run | inc aaa

If not, you need to add that to the following command:

ip http authentication aaa ?



chaitu_kranthi Mon, 08/04/2008 - 20:31
User Badges:


Thanks for your reply;

i have tried the command in other access point and it is working there. but now the problem for me is. with the TACACS user name & Password iam able to telnet to the device with full access but using http i am getting readonly access only.

Is somthing i have to add additionally.

Farrukh Haroon Mon, 08/04/2008 - 21:53
User Badges:
  • Red, 2250 points or more

Please try assigning privlege level 15 to the admin users in the TACACS server.



chaitu_kranthi Mon, 08/04/2008 - 22:16
User Badges:


the user is already having Privlege 15.the same tacacs user is having full access using telnet for the same device.

Farrukh Haroon Mon, 08/04/2008 - 22:20
User Badges:
  • Red, 2250 points or more

Then please attach the AAA/TACACS configs from troublesome AP's CLI and the following debugs:

debug ip http authentication

debug tacacs

debug aaa authentication



chaitu_kranthi Tue, 08/05/2008 - 01:58
User Badges:


I observed that my tacacs user is logging into the device using http but he is getting the Priv-level = 1,the user is already having the Priv-level = 15. please advise me

Aug 5 09:53:29.492: HTTP: Authentication username = 'gkc' priv-level = 1 auth-t

ype = aaa


This Discussion