10-22-2008 06:24 AM
I have AAA configured and working on an ACE 4710 appliance for SSH. The web interface only works with the local database. I don't see anything in the security guide about the web interface (only states telnet and ssh). Anyone else seeing this?
Solved! Go to Solution.
10-22-2008 07:12 AM
Hi Collin,
It does work - I have two in our lab that I've set up for AAA and it works fine.
Check this out:
I only have one local user (admin) and all others on ACS Server, using this test ACE config:
tacacs-server host 1.2.3.4 key cisco
aaa group server tacacs+ TACACS
server 1.2.3.4
aaa authentication login default group TACACS local
aaa authentication login console none
aaa accounting default group TACACS local
aaa authentication login error-enable
ACS Server needs some special config though, which is detailed here:
HTH
Andrew.
10-22-2008 07:12 AM
Hi Collin,
It does work - I have two in our lab that I've set up for AAA and it works fine.
Check this out:
I only have one local user (admin) and all others on ACS Server, using this test ACE config:
tacacs-server host 1.2.3.4 key cisco
aaa group server tacacs+ TACACS
server 1.2.3.4
aaa authentication login default group TACACS local
aaa authentication login console none
aaa accounting default group TACACS local
aaa authentication login error-enable
ACS Server needs some special config though, which is detailed here:
HTH
Andrew.
10-22-2008 07:22 AM
Andrew-
I had the correct config, except for the following line-
aaa accounting default group TACACS local
I don't understand how accounting would enable the WebUI AAA access, but it works now. Thanks.
Two ACEs in your lab? Lucky dog!
10-22-2008 07:29 AM
that wouldn't be the first bit of CLI weirdness - I need two ACE's to validate that the FT works and I've yet to have an explanation of why I need to change the native VLAN to get FT working....
Andrew.
10-22-2008 07:39 AM
I had some trouble with FT as well and opened a case up. I was configuring FT as below-
interface gigabitEthernet 1/3
description FT Access Port
speed 100M
duplex FULL
ft-port vlan 200
no shutdown
I was receiving a ton of errors on my switch ports. I hard set everything, auto everything, and still a bunch of errors. I then tried to trunk on my switch ports and they came up just fine. In the WebUI I could not set the port to trunk or switch (both grayed out) and I got an error stating it was an FT port and you can't configure it. After some more troubleshooting, we found out that the ft-port command forces the port in trunk mode (TAC wanted the port in switchport mode). By removing the ft-port command, you can set the port to switchport and set it to whatever vlan you want. Here is my current working port config-
interface gigabitEthernet 1/3
description FT Access Port
speed 100M
duplex FULL
switchport access vlan 200
no shutdown
When I asked for an explanation, they stated that the fact about the ft-port forces it to trunk and that option is there in case you want to trunk your FT traffic with your data traffic!
10-22-2008 07:57 AM
Exactly my issue too, which begs the question of what the "ft-port" command actually does if you don't need it to get FT working...
Andrew.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide