Cisco 1240 Wireless access point configuration steps through ACS

Unanswered Question
Aug 24th, 2008
User Badges:

Hi,

need configuration steps for my Cisco Wireless accesspoint.


I want to access the device using Telnet as well as http.


iam able to access through telnet using TACACS user but iam unable to access the device using http. please send the configuration step for the same.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Premdeep Banga Sun, 08/24/2008 - 10:01
User Badges:
  • Gold, 750 points or more

!-- Local username for fallback

username admin privilege 15 password


aaa new-model


aaa cache profile admin_cache

all


aaa group server tacacs+ tac_admin

server

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache


aaa authentication login default cache tac_admin group tac_admin local

aaa authorization exec default cache tac_admin group tac_admin local


ip http server

ip http authentication aaa


tacacs-server host key

ip tacacs source-interface BVI1



Regards,

Prem


Please rate if it helps!

Premdeep Banga Sun, 08/24/2008 - 10:04
User Badges:
  • Gold, 750 points or more

Plus,


On your Tacacs server, give the account/group with which you are trying to login the "Shell(exec)" privilege and pass the "Privilege Level" as 15.


If the Tacacs server is ACS, then please refer to following link for ACS configuration part,

http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00804b9dbb.shtml#acs


NOTE : do not follow "Group Configuration" part, that is not required for the latest IOS these days.


Regards,

Prem


Please rate if it helps!

chaitu_kranthi Mon, 08/25/2008 - 04:00
User Badges:

Hi,


Thanks For your reply,


Now the problem for me is after doing all the step as above.i am able to telnet the device using the TACACS U/N & P/W. But after issuing the command

ip http server

ip http secure-server


when iam trying to access the device using http:


it is directly promting me to "level-1" U/N & P/W, i tried with the TACACS U/N & P/W and it is accepting my U/N & P/W but still iam getting the level one access only.


please help me on this.


Present Configuration:


LAMNYFABAP1#sh run | inc tacacs

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

tacacs-server host x.x.x.x

tacacs-server directed-request

tacacs-server key 7 010752100F5B05



ip http server

ip http secure-server


LAMNYFABAP1#




Premdeep Banga Mon, 08/25/2008 - 04:04
User Badges:
  • Gold, 750 points or more

This is not what we should have in configuration.


Please refer to my earlier post. You are missing Cache commands, without them, you'll be prompted again and again.....


Please follow the commands provided before


Regards,

Prem

Premdeep Banga Mon, 08/25/2008 - 04:06
User Badges:
  • Gold, 750 points or more

Plus,


You have command authorization configured on the AP,


aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated


Make sure that you use a profile that is allowed to execute all the commands.


Regards,

Prem

chaitu_kranthi Mon, 08/25/2008 - 04:21
User Badges:

Yes,


The user is having the Level 15 access.


When iam doing telnet to the device it is working fine with TACACS U/N & P/W with the full level 15 access.


Intresting thing is when iam trying to access the device using http:


It is promoting me to type for level 1 password.is there any thing i have to do extra for http access


Please find the attachements



Attachment: 
Premdeep Banga Mon, 08/25/2008 - 04:23
User Badges:
  • Gold, 750 points or more

You need to have *cache* command in your configuration. Please refer to my very first post.


Regards,

Prem

Premdeep Banga Mon, 08/25/2008 - 04:26
User Badges:
  • Gold, 750 points or more

AFAIK It will always prompt you for Level 1 access first.


Regards,

Prem

chaitu_kranthi Mon, 08/25/2008 - 04:30
User Badges:

So,


How can i get Level 15 access there.


Because the user who is having level 15 access is able to connect through telnet, but the same is not getting the fullaccess using the http..

Premdeep Banga Mon, 08/25/2008 - 04:33
User Badges:
  • Gold, 750 points or more

What I assume is happening at this moment is, you type the correct username/password and you get prompted again for username/password. Am I correct ?


Regards,

Prem

chaitu_kranthi Mon, 08/25/2008 - 04:35
User Badges:

No, it is allowing me to access http with the TACACS U/N & P/W. But there i am getting the level 1 access only. i mean read only access.


But the same user is having level 15 access in telnet

Premdeep Banga Mon, 08/25/2008 - 04:37
User Badges:
  • Gold, 750 points or more

You type the user/pass, AP displays the page completely. The when you click on Security, it prompts you again ? And are you able to go into that section successfully ?


Regards,

Prem

Premdeep Banga Mon, 08/25/2008 - 05:03
User Badges:
  • Gold, 750 points or more

If you are able to access security section, then you have privilege 15/Full access.


Then if you go to, Admin Access Section, you'll see that no option is selected at that section. Which might confuse you.


If you want, the changes to reflect properly on GUI, then add the commands that I provided in the first post.


AP will always prompt you for Level 1 access during authentication, once authenticated, then it will start the authorization phase, which is completely different then authentication. And depending upon what you have configured on the ACS, the client will be allowed appropriate access. But the first authentication prompt will contain Level 1, be it local authentication/tacacs authentication.


Regards,

Prem

Actions

This Discussion