cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1101
Views
0
Helpful
14
Replies

Cisco 1240 Wireless access point configuration steps through ACS

chaitu_kranthi
Level 1
Level 1

Hi,

need configuration steps for my Cisco Wireless accesspoint.

I want to access the device using Telnet as well as http.

iam able to access through telnet using TACACS user but iam unable to access the device using http. please send the configuration step for the same.

14 Replies 14

Premdeep Banga
Level 7
Level 7

!-- Local username for fallback

username admin privilege 15 password

aaa new-model

aaa cache profile admin_cache

all

aaa group server tacacs+ tac_admin

server

cache expiry 1

cache authorization profile admin_cache

cache authentication profile admin_cache

aaa authentication login default cache tac_admin group tac_admin local

aaa authorization exec default cache tac_admin group tac_admin local

ip http server

ip http authentication aaa

tacacs-server host key

ip tacacs source-interface BVI1

Regards,

Prem

Please rate if it helps!

Plus,

On your Tacacs server, give the account/group with which you are trying to login the "Shell(exec)" privilege and pass the "Privilege Level" as 15.

If the Tacacs server is ACS, then please refer to following link for ACS configuration part,

http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00804b9dbb.shtml#acs

NOTE : do not follow "Group Configuration" part, that is not required for the latest IOS these days.

Regards,

Prem

Please rate if it helps!

Hi,

Thanks For your reply,

Now the problem for me is after doing all the step as above.i am able to telnet the device using the TACACS U/N & P/W. But after issuing the command

ip http server

ip http secure-server

when iam trying to access the device using http:

it is directly promting me to "level-1" U/N & P/W, i tried with the TACACS U/N & P/W and it is accepting my U/N & P/W but still iam getting the level one access only.

please help me on this.

Present Configuration:

LAMNYFABAP1#sh run | inc tacacs

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

tacacs-server host x.x.x.x

tacacs-server directed-request

tacacs-server key 7 010752100F5B05

ip http server

ip http secure-server

LAMNYFABAP1#

This is not what we should have in configuration.

Please refer to my earlier post. You are missing Cache commands, without them, you'll be prompted again and again.....

Please follow the commands provided before

Regards,

Prem

Plus,

You have command authorization configured on the AP,

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

Make sure that you use a profile that is allowed to execute all the commands.

Regards,

Prem

Yes,

The user is having the Level 15 access.

When iam doing telnet to the device it is working fine with TACACS U/N & P/W with the full level 15 access.

Intresting thing is when iam trying to access the device using http:

It is promoting me to type for level 1 password.is there any thing i have to do extra for http access

Please find the attachements

You need to have *cache* command in your configuration. Please refer to my very first post.

Regards,

Prem

AFAIK It will always prompt you for Level 1 access first.

Regards,

Prem

So,

How can i get Level 15 access there.

Because the user who is having level 15 access is able to connect through telnet, but the same is not getting the fullaccess using the http..

What I assume is happening at this moment is, you type the correct username/password and you get prompted again for username/password. Am I correct ?

Regards,

Prem

No, it is allowing me to access http with the TACACS U/N & P/W. But there i am getting the level 1 access only. i mean read only access.

But the same user is having level 15 access in telnet

You type the user/pass, AP displays the page completely. The when you click on Security, it prompts you again ? And are you able to go into that section successfully ?

Regards,

Prem

If you are able to access security section, then you have privilege 15/Full access.

Then if you go to, Admin Access Section, you'll see that no option is selected at that section. Which might confuse you.

If you want, the changes to reflect properly on GUI, then add the commands that I provided in the first post.

AP will always prompt you for Level 1 access during authentication, once authenticated, then it will start the authorization phase, which is completely different then authentication. And depending upon what you have configured on the ACS, the client will be allowed appropriate access. But the first authentication prompt will contain Level 1, be it local authentication/tacacs authentication.

Regards,

Prem

First Issue the command no aaa new-model using CLI.

and follow the attached pdf step

Rate me if it helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: