Re: CMS & ACS 3.0 please help

admin_2 · ‎04-28-2003

I'm tryng to access CMS of a Cisco 3550 SMI IOS 12.1(11)EA1 with this aaa configuration:

aaa new-model

aaa authentication login login-pwd group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa accounting exec accounting start-stop group tacacs+

aaa accounting commands 15 accounting start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

tacacs-server host <A.B.C.D>

tacacs-server attempts 5

tacacs-server timeout 10

tacacs-server key <********>

line vty 0 4

accounting commands 15 accounting

accounting exec accounting

login authentication login-pwd

ip http server

ip http authentication aaa

If i use tacacs+ to access the switch via vty 0 4 i use the username and password (privilege level = 15) configured in ACS 3.0 with no problem (sh tacacs confirms this). But if use the same username and password (or the password only) to access the web console of the switch it doesn't work:

AUTHORIZATION REQUIRED

Browser not authentication capable or authentication failed.

The browser is ie 6.0 sp1 jre plug-in is 1.31, switch ip address is in trusted sites all java is enabled (everything is configured as reported in the document troubleshooting CMS).

If i remove aaa (no aaa new model) and set ip http authentication enable i can access the web console using the enable password with no problem (i also tried netscape 7.0 but with no results).

I do not use any proxy.

I'm getting crazy (very close to open a TAC)

BABARCHE · ‎04-29-2003

you just need to put the service-type attribute (n°6) to "administrative" on your ACS and it should work !

Bye ...

Report Inappropriate Content · ‎04-29-2003

thank You for Your help

I have a doubt, why should i modify a IETF Radius attribute to work it out?

Should i change this attribute for the administrators group only?

I'm using tacacs+ (Cisco IOS) for my AAA client (catalyst switches) setup.

I tried the setting You suggest (but i didn't understand Your goal) but it still do not work.

Any other suggestion?

Thank You

BABARCHE · ‎04-29-2003

Sorry .... I'm completely out !

Of course, if you are using tacacs+, you don't need to modify radius settings.

I have never try to do what you want in tacacs+. The goal of the command I gave you was to put privileges of your administrator group to maximum.

So with tacacs, I suggest that you verify that your administrator group have Privilege level set to 15 in the tacacs settings of your group in acs.

BABARCHE · ‎04-29-2003

to do what I told you, you have to go in tacacs settings in your group and to :

- cross option "Shell (exec)"

- cross option "Privilege level" and put value "15"

I hope it'll work !

BABARCHE · ‎04-29-2003

Well, I tried to do it in tacacs and it works fine with CMS and ACS .... No problem with what I told you with privileges in tacacs settings.

bye.

mayer · ‎08-07-2003

Hi. Did you ever get this to work? AAA with CMS? I have set up tacacs and have had to use all defaults for the config. This issue I am having on my switches is that stand alone everything works but as soon as I create a cluster and try to log into http I get the first login which goes fine. but after the java login prompt comes up I begin to get a login prompt for every single command that is run. and after about 30 or so I also begin to get a login for all the interfaces as they are displayed. I have AAA set to allow access when already authorized. I must be missing something..

l.mourits · ‎01-24-2008

I am having the exact same issue as described by mayer. 3750 series stack, running the latest release (upgraded to see if it resolved the issue, but it did not).

Release: c3750-ipservices-mz.122-44.SE.bin

When configured with aaa new-model and ip http authentication to local all works fine, but as soon as I set the ip http authentication to default list (which holds my tacacs and then local user) it prompts me a couple of hundred times for username/password.

I am aware that some releases require different configuration (some require the aaa config under vty lines, other under console). The release I am runing holds ip http v1.1 and should support the ip http authentication method. However, it fails.

Hope somebody found a solution.

Leo

ps. it is not for me, I prefer to use CLI, but I like to provide CDM access to some co-workers.

paul.kyte · ‎08-19-2004

I had the same problem but did what BABARCHE suggested and it worked fine.

Do the following in the users ACS TACACS+ settings:

tick Shell(exec)

tick Priviledge level and enter 15 in the value

jlangford · ‎09-09-2004

I used this information to get SDM working in my network (when TAC was no help at all).

There was one additional command that I needed to add on the router (and switches for http authentication).

aaa authorization exec default group tacacs+