Cisco 1240 Wireless access point configuration steps through ACS

Unanswered Question
Aug 24th, 2008

Hi,

need configuration steps for my Cisco Wireless accesspoint.

I want to access the device using Telnet as well as http.

iam able to access through telnet using TACACS user but iam unable to access the device using http. please send the configuration step for the same.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Premdeep Banga Sun, 08/24/2008 - 10:01

!-- Local username for fallback

username admin privilege 15 password

aaa new-model

aaa cache profile admin_cache

all

aaa group server tacacs+ tac_admin

server

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

aaa authentication login default cache tac_admin group tac_admin local

aaa authorization exec default cache tac_admin group tac_admin local

ip http server

ip http authentication aaa

tacacs-server host key

ip tacacs source-interface BVI1

Regards,

Prem

Please rate if it helps!

Premdeep Banga Sun, 08/24/2008 - 10:04

Plus,

On your Tacacs server, give the account/group with which you are trying to login the "Shell(exec)" privilege and pass the "Privilege Level" as 15.

If the Tacacs server is ACS, then please refer to following link for ACS configuration part,

http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00804b9dbb.shtml#acs

NOTE : do not follow "Group Configuration" part, that is not required for the latest IOS these days.

Regards,

Prem

Please rate if it helps!

chaitu_kranthi Mon, 08/25/2008 - 04:00

Hi,

Thanks For your reply,

Now the problem for me is after doing all the step as above.i am able to telnet the device using the TACACS U/N & P/W. But after issuing the command

ip http server

ip http secure-server

when iam trying to access the device using http:

it is directly promting me to "level-1" U/N & P/W, i tried with the TACACS U/N & P/W and it is accepting my U/N & P/W but still iam getting the level one access only.

please help me on this.

Present Configuration:

LAMNYFABAP1#sh run | inc tacacs

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

tacacs-server host x.x.x.x

tacacs-server directed-request

tacacs-server key 7 010752100F5B05

ip http server

ip http secure-server

LAMNYFABAP1#

Premdeep Banga Mon, 08/25/2008 - 04:04

This is not what we should have in configuration.

Please refer to my earlier post. You are missing Cache commands, without them, you'll be prompted again and again.....

Please follow the commands provided before

Regards,

Prem

Premdeep Banga Mon, 08/25/2008 - 04:06

Plus,

You have command authorization configured on the AP,

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

Make sure that you use a profile that is allowed to execute all the commands.

Regards,

Prem

chaitu_kranthi Mon, 08/25/2008 - 04:21

Yes,

The user is having the Level 15 access.

When iam doing telnet to the device it is working fine with TACACS U/N & P/W with the full level 15 access.

Intresting thing is when iam trying to access the device using http:

It is promoting me to type for level 1 password.is there any thing i have to do extra for http access

Please find the attachements

Attachment: 
Premdeep Banga Mon, 08/25/2008 - 04:23

You need to have *cache* command in your configuration. Please refer to my very first post.

Regards,

Prem

chaitu_kranthi Mon, 08/25/2008 - 04:30

So,

How can i get Level 15 access there.

Because the user who is having level 15 access is able to connect through telnet, but the same is not getting the fullaccess using the http..

Premdeep Banga Mon, 08/25/2008 - 04:33

What I assume is happening at this moment is, you type the correct username/password and you get prompted again for username/password. Am I correct ?

Regards,

Prem

chaitu_kranthi Mon, 08/25/2008 - 04:35

No, it is allowing me to access http with the TACACS U/N & P/W. But there i am getting the level 1 access only. i mean read only access.

But the same user is having level 15 access in telnet

Premdeep Banga Mon, 08/25/2008 - 04:37

You type the user/pass, AP displays the page completely. The when you click on Security, it prompts you again ? And are you able to go into that section successfully ?

Regards,

Prem

Premdeep Banga Mon, 08/25/2008 - 05:03

If you are able to access security section, then you have privilege 15/Full access.

Then if you go to, Admin Access Section, you'll see that no option is selected at that section. Which might confuse you.

If you want, the changes to reflect properly on GUI, then add the commands that I provided in the first post.

AP will always prompt you for Level 1 access during authentication, once authenticated, then it will start the authorization phase, which is completely different then authentication. And depending upon what you have configured on the ACS, the client will be allowed appropriate access. But the first authentication prompt will contain Level 1, be it local authentication/tacacs authentication.

Regards,

Prem

Actions

This Discussion