Solved: AAA on WebUI 4710

Collin Clark · ‎10-22-2008

I have AAA configured and working on an ACE 4710 appliance for SSH. The web interface only works with the local database. I don't see anything in the security guide about the web interface (only states telnet and ssh). Anyone else seeing this?

andrew.burns · ‎10-22-2008

Hi Collin,

It does work - I have two in our lab that I've set up for AAA and it works fine.

Check this out:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/UGadmin.html#wp1244296

I only have one local user (admin) and all others on ACS Server, using this test ACE config:

tacacs-server host 1.2.3.4 key cisco

aaa group server tacacs+ TACACS

server 1.2.3.4

aaa authentication login default group TACACS local

aaa authentication login console none

aaa accounting default group TACACS local

aaa authentication login error-enable

ACS Server needs some special config though, which is detailed here:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html#wp1411787

HTH

Andrew.

View solution in original post

andrew.burns · ‎10-22-2008

Hi Collin,

It does work - I have two in our lab that I've set up for AAA and it works fine.

Check this out:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/UGadmin.html#wp1244296

I only have one local user (admin) and all others on ACS Server, using this test ACE config:

tacacs-server host 1.2.3.4 key cisco

aaa group server tacacs+ TACACS

server 1.2.3.4

aaa authentication login default group TACACS local

aaa authentication login console none

aaa accounting default group TACACS local

aaa authentication login error-enable

ACS Server needs some special config though, which is detailed here:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html#wp1411787

HTH

Andrew.

Collin Clark · ‎10-22-2008

Andrew-

I had the correct config, except for the following line-

aaa accounting default group TACACS local

I don't understand how accounting would enable the WebUI AAA access, but it works now. Thanks.

Two ACEs in your lab? Lucky dog!

andrew.burns · ‎10-22-2008

that wouldn't be the first bit of CLI weirdness - I need two ACE's to validate that the FT works and I've yet to have an explanation of why I need to change the native VLAN to get FT working....

Andrew.

Collin Clark · ‎10-22-2008

I had some trouble with FT as well and opened a case up. I was configuring FT as below-

interface gigabitEthernet 1/3

description FT Access Port

speed 100M

duplex FULL

ft-port vlan 200

no shutdown

I was receiving a ton of errors on my switch ports. I hard set everything, auto everything, and still a bunch of errors. I then tried to trunk on my switch ports and they came up just fine. In the WebUI I could not set the port to trunk or switch (both grayed out) and I got an error stating it was an FT port and you can't configure it. After some more troubleshooting, we found out that the ft-port command forces the port in trunk mode (TAC wanted the port in switchport mode). By removing the ft-port command, you can set the port to switchport and set it to whatever vlan you want. Here is my current working port config-

interface gigabitEthernet 1/3

description FT Access Port

speed 100M

duplex FULL

switchport access vlan 200

no shutdown

When I asked for an explanation, they stated that the fact about the ft-port forces it to trunk and that option is there in case you want to trunk your FT traffic with your data traffic!

andrew.burns · ‎10-22-2008

Exactly my issue too, which begs the question of what the "ft-port" command actually does if you don't need it to get FT working...

Andrew.