Cisco 3850 TACACS Issues

Unanswered Question
Mar 3rd, 2014
User Badges:

Guys


I have a Cisco 3850 running the latest code 3.3.2

GUI access (using Chrome) was working fine until we implemented TACACS.

Now we find we can access the GUI but not all screens work.

For instance - the WLANs are listed but you can't drill down into them for the detail.

Additionally, things like the Radius Servers and Method Lists are not displayed.

Its reverts back to normal once TACACS is enabled.

I suspect it is tied in to the fact that the GUI access is also not working with TACACS and hence it may be a privilege issue.


Here's the relevant parts of the config:

aaa new-model

!

!

aaa group server tacacs+ default

server name NW0001

server name NW1002

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

!

aaa group server radius HJstaff

server name nl0010

server name nl1010

!

aaa group server radius GFWEUR

server name nw0001

server name nw1002

!

aaa group server radius HJGuest

server name nl0010

server name nl1010

!

aaa authentication banner  CUnauthorised access is strictly prohibited.

aaa authentication fail-message  CAuthentication failed. Your password is incorrect or the AAA server is unavailable. Please try again or use local account.

aaa authentication login default group tacacs+ local-case

aaa authentication enable default group tacacs+ enable

aaa authentication dot1x HJstaff-Authentication group HJstaff

aaa authentication dot1x GFWEUR-Authentication group GFWEUR

aaa authentication dot1x HJGuest-Authentication group HJGuest

aaa authorization console

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization network cwa_macfilter group HJGuest

aaa authorization credential-download default-webauth local

aaa accounting identity HJstaff-Accounting start-stop group HJstaff

aaa accounting identity GFWEUR-Accounting start-stop group GFWEUR

aaa accounting identity HJGuest-Accounting start-stop group HJGuest

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa cache profile admin_cache all


ip http server

ip http authentication local

ip http secure-server


I think the issue may be the ip http authentication local needs to be changed.


Any thoughts?


Regards


Roger

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
Rasika Nayanajith Mon, 03/03/2014 - 23:56
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi Roger,


GUI of these platform are not good as it should be.


I would stick with CLI until it is get solid


HTH

Rasika


**** Pls rate all useful responses ****

Actions

This Discussion