08-24-2008 06:15 AM - edited 03-10-2019 04:03 PM
Hi,
need configuration steps for my Cisco Wireless accesspoint.
I want to access the device using Telnet as well as http.
iam able to access through telnet using TACACS user but iam unable to access the device using http. please send the configuration step for the same.
08-24-2008 10:01 AM
!-- Local username for fallback
username admin privilege 15 password
aaa new-model
aaa cache profile admin_cache
all
aaa group server tacacs+ tac_admin
server
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
aaa authentication login default cache tac_admin group tac_admin local
aaa authorization exec default cache tac_admin group tac_admin local
ip http server
ip http authentication aaa
tacacs-server host
ip tacacs source-interface BVI1
Regards,
Prem
Please rate if it helps!
08-24-2008 10:04 AM
Plus,
On your Tacacs server, give the account/group with which you are trying to login the "Shell(exec)" privilege and pass the "Privilege Level" as 15.
If the Tacacs server is ACS, then please refer to following link for ACS configuration part,
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00804b9dbb.shtml#acs
NOTE : do not follow "Group Configuration" part, that is not required for the latest IOS these days.
Regards,
Prem
Please rate if it helps!
08-25-2008 04:00 AM
Hi,
Thanks For your reply,
Now the problem for me is after doing all the step as above.i am able to telnet the device using the TACACS U/N & P/W. But after issuing the command
ip http server
ip http secure-server
when iam trying to access the device using http:
it is directly promting me to "level-1" U/N & P/W, i tried with the TACACS U/N & P/W and it is accepting my U/N & P/W but still iam getting the level one access only.
please help me on this.
Present Configuration:
LAMNYFABAP1#sh run | inc tacacs
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 010752100F5B05
ip http server
ip http secure-server
LAMNYFABAP1#
08-25-2008 04:04 AM
This is not what we should have in configuration.
Please refer to my earlier post. You are missing Cache commands, without them, you'll be prompted again and again.....
Please follow the commands provided before
Regards,
Prem
08-25-2008 04:06 AM
Plus,
You have command authorization configured on the AP,
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
Make sure that you use a profile that is allowed to execute all the commands.
Regards,
Prem
08-25-2008 04:21 AM
Yes,
The user is having the Level 15 access.
When iam doing telnet to the device it is working fine with TACACS U/N & P/W with the full level 15 access.
Intresting thing is when iam trying to access the device using http:
It is promoting me to type for level 1 password.is there any thing i have to do extra for http access
Please find the attachements
08-25-2008 04:23 AM
You need to have *cache* command in your configuration. Please refer to my very first post.
Regards,
Prem
08-25-2008 04:26 AM
AFAIK It will always prompt you for Level 1 access first.
Regards,
Prem
08-25-2008 04:30 AM
So,
How can i get Level 15 access there.
Because the user who is having level 15 access is able to connect through telnet, but the same is not getting the fullaccess using the http..
08-25-2008 04:33 AM
What I assume is happening at this moment is, you type the correct username/password and you get prompted again for username/password. Am I correct ?
Regards,
Prem
08-25-2008 04:35 AM
No, it is allowing me to access http with the TACACS U/N & P/W. But there i am getting the level 1 access only. i mean read only access.
But the same user is having level 15 access in telnet
08-25-2008 04:37 AM
You type the user/pass, AP displays the page completely. The when you click on Security, it prompts you again ? And are you able to go into that section successfully ?
Regards,
Prem
08-25-2008 05:03 AM
If you are able to access security section, then you have privilege 15/Full access.
Then if you go to, Admin Access Section, you'll see that no option is selected at that section. Which might confuse you.
If you want, the changes to reflect properly on GUI, then add the commands that I provided in the first post.
AP will always prompt you for Level 1 access during authentication, once authenticated, then it will start the authorization phase, which is completely different then authentication. And depending upon what you have configured on the ACS, the client will be allowed appropriate access. But the first authentication prompt will contain Level 1, be it local authentication/tacacs authentication.
Regards,
Prem
09-17-2008 01:05 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: