04-28-2003 02:41 AM - edited 03-10-2019 07:16 AM
I'm tryng to access CMS of a Cisco 3550 SMI IOS 12.1(11)EA1 with this aaa configuration:
aaa new-model
aaa authentication login login-pwd group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec accounting start-stop group tacacs+
aaa accounting commands 15 accounting start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
tacacs-server host <A.B.C.D>
tacacs-server attempts 5
tacacs-server timeout 10
tacacs-server key <********>
line vty 0 4
accounting commands 15 accounting
accounting exec accounting
login authentication login-pwd
ip http server
ip http authentication aaa
If i use tacacs+ to access the switch via vty 0 4 i use the username and password (privilege level = 15) configured in ACS 3.0 with no problem (sh tacacs confirms this). But if use the same username and password (or the password only) to access the web console of the switch it doesn't work:
AUTHORIZATION REQUIRED
Browser not authentication capable or authentication failed.
The browser is ie 6.0 sp1 jre plug-in is 1.31, switch ip address is in trusted sites all java is enabled (everything is configured as reported in the document troubleshooting CMS).
If i remove aaa (no aaa new model) and set ip http authentication enable i can access the web console using the enable password with no problem (i also tried netscape 7.0 but with no results).
I do not use any proxy.
I'm getting crazy (very close to open a TAC)
04-29-2003 05:16 AM
you just need to put the service-type attribute (n°6) to "administrative" on your ACS and it should work !
Bye ...
04-29-2003 06:51 AM
thank You for Your help
I have a doubt, why should i modify a IETF Radius attribute to work it out?
Should i change this attribute for the administrators group only?
I'm using tacacs+ (Cisco IOS) for my AAA client (catalyst switches) setup.
I tried the setting You suggest (but i didn't understand Your goal) but it still do not work.
Any other suggestion?
Thank You
04-29-2003 08:42 AM
Sorry .... I'm completely out !
Of course, if you are using tacacs+, you don't need to modify radius settings.
I have never try to do what you want in tacacs+. The goal of the command I gave you was to put privileges of your administrator group to maximum.
So with tacacs, I suggest that you verify that your administrator group have Privilege level set to 15 in the tacacs settings of your group in acs.
04-29-2003 08:48 AM
to do what I told you, you have to go in tacacs settings in your group and to :
- cross option "Shell (exec)"
- cross option "Privilege level" and put value "15"
I hope it'll work !
04-29-2003 09:22 AM
Well, I tried to do it in tacacs and it works fine with CMS and ACS .... No problem with what I told you with privileges in tacacs settings.
bye.
08-07-2003 07:08 AM
Hi. Did you ever get this to work? AAA with CMS? I have set up tacacs and have had to use all defaults for the config. This issue I am having on my switches is that stand alone everything works but as soon as I create a cluster and try to log into http I get the first login which goes fine. but after the java login prompt comes up I begin to get a login prompt for every single command that is run. and after about 30 or so I also begin to get a login for all the interfaces as they are displayed. I have AAA set to allow access when already authorized. I must be missing something..
01-24-2008 06:01 AM
I am having the exact same issue as described by mayer. 3750 series stack, running the latest release (upgraded to see if it resolved the issue, but it did not).
Release: c3750-ipservices-mz.122-44.SE.bin
When configured with aaa new-model and ip http authentication to local all works fine, but as soon as I set the ip http authentication to default list (which holds my tacacs and then local user) it prompts me a couple of hundred times for username/password.
I am aware that some releases require different configuration (some require the aaa config under vty lines, other under console). The release I am runing holds ip http v1.1 and should support the ip http authentication method. However, it fails.
Hope somebody found a solution.
Leo
ps. it is not for me, I prefer to use CLI, but I like to provide CDM access to some co-workers.
08-19-2004 08:06 AM
I had the same problem but did what BABARCHE suggested and it worked fine.
Do the following in the users ACS TACACS+ settings:
tick Shell(exec)
tick Priviledge level and enter 15 in the value
09-09-2004 05:17 AM
I used this information to get SDM working in my network (when TAC was no help at all).
There was one additional command that I needed to add on the router (and switches for http authentication).
aaa authorization exec default group tacacs+
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide