Cisco Wireless Access point are not working after TACACS Implementation

Unanswered Question
Aug 4th, 2008

Hi,

I am unable to access the Cisco Wireless Access point using http(GUI)mode. after tacacs implementation. But i am able to access the same devices using telnet with tacacs user id.

Need some help in this...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
chaitu_kranthi Mon, 08/04/2008 - 08:54

Yes,

The command is already there

if i remove the tacacs(no aaa new-model) from the device then it is working through http also.

Farrukh Haroon Mon, 08/04/2008 - 09:06

It is ip http authentication aaa?

Can you post output of show ip http server all?

REgards

Farrukh

chaitu_kranthi Mon, 08/04/2008 - 09:38

LASAOAP1#sh ip http server all

HTTP server status: Enabled

HTTP server port: 80

HTTP server authentication method: aaa

HTTP server access class: 0

HTTP server base path: flash:/c1200-k9w7-mx.123-2.JA2/html/level/1;zflash:/c1200

-k9w7-mx.123-2.JA2/html/level/1;flash:/c1200-k9w7-mx.123-2.JA2/html/level/15;zfl

ash:/c1200-k9w7-mx.123-2.JA2/html/level/15;flash:/c1200-k9w7-mx.123-2.JA2/html;z

flash:/c1200-k9w7-mx.123-2.JA2/html;flash:

Maximum number of concurrent server connections allowed: 5

Server idle time-out: 120 seconds

Server life time-out: 120 seconds

Maximum number of requests allowed on a connection: 60

HTTP secure server capability: Present

HTTP secure server status: Disabled

HTTP secure server port: 443

HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128

-sha

HTTP secure server client authentication: Disabled

HTTP secure server trustpoint:

HTTP server application session modules:

Session module Name Handle Description

Homepage_Server 3 IOS Homepage Server

HTTP IFS Server 1 HTTP based IOS File Server

WEB_EXEC 2 HTTP based IOS EXEC Server

HTTP server current connections:

local-ipaddress:port remote-ipaddress:port in-bytes out-bytes

HTTP server statistics:

Accepted connections total: 4

HTTP server history:

local-ipaddress:port remote-ipaddress:port in-bytes out-bytes end-time

100.193.1.240:80 192.168.15.243:14879 389 191 17:16:03 08/04

100.193.1.240:80 192.168.15.243:15112 436 191 17:16:13 08/04

100.193.1.240:80 192.168.15.243:15289 4011 54809 17:18:08 08/04

100.193.1.240:80 192.168.15.243:15488 5596 55155 17:18:28 08/04

Farrukh Haroon Mon, 08/04/2008 - 10:23

Can you also show the aaa method-lists? Are you using the 'default' one for login?

show run | inc aaa

If not, you need to add that to the following command:

ip http authentication aaa ?

Regards

Farrukh

chaitu_kranthi Mon, 08/04/2008 - 20:31

Hi,

Thanks for your reply;

i have tried the command in other access point and it is working there. but now the problem for me is. with the TACACS user name & Password iam able to telnet to the device with full access but using http i am getting readonly access only.

Is somthing i have to add additionally.

Farrukh Haroon Mon, 08/04/2008 - 21:53

Please try assigning privlege level 15 to the admin users in the TACACS server.

Regards

Farrukh

chaitu_kranthi Mon, 08/04/2008 - 22:16

Hi,

the user is already having Privlege 15.the same tacacs user is having full access using telnet for the same device.

Farrukh Haroon Mon, 08/04/2008 - 22:20

Then please attach the AAA/TACACS configs from troublesome AP's CLI and the following debugs:

debug ip http authentication

debug tacacs

debug aaa authentication

Regards

Farrukh

chaitu_kranthi Tue, 08/05/2008 - 01:58

Hi,

I observed that my tacacs user is logging into the device using http but he is getting the Priv-level = 1,the user is already having the Priv-level = 15. please advise me

Aug 5 09:53:29.492: HTTP: Authentication username = 'gkc' priv-level = 1 auth-t

ype = aaa

Actions

This Discussion