Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Configure HTTP Login Authentication use Radius/Ace Server SecurID Tokens

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

Hello,

I want to configure an http login authentication on 2950 or router using Radius and ACE Server SecurID Tokens with OTP (One Time Password).

2950 Configuration :

router#sh run

version 12.1

hostname router

aaa new-model

aaa authentication login default group radius

aaa authentication login vtymethod_radius group radius

aaa authorization exec default group radius

aaa authorization exec vtymethod_radius group radius

enable password xxxxxxxxx

!

interface Vlan1

ip address 10.2.2.129 255.255.0.0

!

ip http server

ip http authentication aaa

!

radius-server host 172.18.1.26 auth-port 1645 acct-port 1646

radius-server retransmit 3

radius-server key xxxxxxxxxx

!

line con 0

stopbits 1

line vty 0

exec-timeout 0 0

privilege level 15

password xxxxxxxxxxx

line vty 1 4

exec-timeout 0 0

privilege level 15

password xxxxxxxxxx

authorization exec vtymethod_radius

login authentication vtymethod_radius

line vty 5 15

!

end

router#

My ACE and radius Server has IP : 172.18.1.25.

When I use static password configured on my ACE, there is no problem to connect with http.

I launch my browser : http://10.2.2.129.

It asked me the login and password : I use static password : xxxxxxxxxxxx - 1234

I arrive at :

Cisco Systems

Accessing Cisco WS-routerC-24 "router"

I click on Web Console - Manage the Switch through the web interface.

It asked again the password : xxxxxxxxxxxx - 1234

And that's OK.

Follow the trace when it's works (You can remark that between 2950 et Radius/ACE Server there is

for all download objects a change of the static password)

router#

Jul 23 12:34:44.991: AAA/MEMORY: create_user (0x80CCE1EC) user='' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII service=LOGIN priv=0

Jul 23 12:34:44.991: AAA/AUTHEN/START (2836047894): port='tty5' list='vtymethod_radius' action=LOGIN service=LOGIN

Jul 23 12:34:44.995: AAA/AUTHEN/START (2836047894): found list vtymethod_radius

Jul 23 12:34:44.995: AAA/AUTHEN/START (2836047894): Method=radius (radius)

Jul 23 12:34:44.995: AAA/AUTHEN (2836047894): status = GETUSER

Jul 23 12:34:44.995: AAA/AUTHEN/CONT (2836047894): continue_login (user='(undef)')

Jul 23 12:34:44.995: AAA/AUTHEN (2836047894): status = GETUSER

Jul 23 12:34:44.995: AAA/AUTHEN (2836047894): Method=radius (radius)

Jul 23 12:34:44.995: AAA/AUTHEN (2836047894): status = GETPASS

Jul 23 12:34:44.999: AAA/AUTHEN/CONT (2836047894): continue_login (user='xxxxxxxxxxxx')

Jul 23 12:34:44.999: AAA/AUTHEN (2836047894): status = GETPASS

Jul 23 12:34:44.999: AAA/AUTHEN (2836047894): Method=radius (radius)

Jul 23 12:34:44.999: RADIUS: ustruct sharecount=1

Jul 23 12:34:45.003: RADIUS: Initial Transmit tty5 id 179 172.18.1.26:1645, Access-Request, len 74

Jul 23 12:34:45.003: Attribute 4 6 0A020281

Jul 23 12:34:45.003: Attribute 5 6 00000005

Jul 23 12:34:45.003: Attribute 61 6 00000005

Jul 23 12:34:45.003: Attribute 1 5 6477611F

Jul 23 12:34:45.003: Attribute 31 13 3137322E

Jul 23 12:34:45.003: Attribute 2 18 39852A89

Jul 23 12:34:47.107: RADIUS: Received from id 179 172.18.1.26:1645, Access-Accept, len 52

Jul 23 12:34:47.107: Attribute 18 21 50415353

Jul 23 12:34:47.107: Attribute 6 6 00000006

Jul 23 12:34:47.107: Attribute 1 5 64776164

Jul 23 12:34:47.107: RADIUS: saved authorization data for user 80CCE1EC at 80CCE358

Jul 23 12:34:47.111: AAA/AUTHEN (2836047894): status = PASS

Jul 23 12:34:47.111: tty5 AAA/AUTHOR/HTTP (2755968236): Port='tty5' list='vtymethod_radius' service=EXEC

Jul 23 12:34:47.111: AAA/AUTHOR/HTTP: tty5 (2755968236) user='xxxxxxxxxxxx'

Jul 23 12:34:47.111: tty5 AAA/AUTHOR/HTTP (2755968236): send AV service=shell

Jul 23 12:34:47.111: tty5 AAA/AUTHOR/HTTP (2755968236): send AV cmd*

Jul 23 12:34:47.111: tty5 AAA/AUTHOR/HTTP (2755968236): found list "vtymethod_radius"

Jul 23 12:34:47.111: tty5 AAA/AUTHOR/HTTP (2755968236): Method=radius (radius)

Jul 23 12:34:47.115: AAA/AUTHOR (2755968236): Post authorization status = PASS_ADD

Jul 23 12:34:47.115: HTTP: received GET ''

Jul 23 12:34:47.159: AAA/MEMORY: free_user (0x80CCE1EC) user='xxxxxxxxxxxx' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII service=LOGIN priv=0

Jul 23 12:34:48.915: HTTP: parsed uri '/homepage.htm'

Jul 23 12:34:48.915: HTTP: client version 1.0

Jul 23 12:34:48.915: HTTP: parsed extension Accept

Jul 23 12:34:48.915: HTTP: parsed extension Referer

Jul 23 12:34:48.915: HTTP: parsed extension Accept-Language

Jul 23 12:34:48.915: HTTP: parsed extension User-Agent

Jul 23 12:34:48.919: HTTP: parsed extension Authorization

Jul 23 12:34:48.919: HTTP: parsed authorization type Basic

Jul 23 12:34:48.919: HTTP: parsed extension Via

Jul 23 12:34:48.919: HTTP: parsed extension X-Forwarded-For

Jul 23 12:34:48.919: HTTP: parsed extension Host

Jul 23 12:34:48.919: HTTP: parsed extension Cache-Control

Jul 23 12:34:48.919: HTTP: parsed extension Connection

Jul 23 12:34:48.923: HTTP: Authentication for url '/homepage.htm' '/homepage.htm' level 15 privless '/homepage.htm'

Jul 23 12:34:48.923: HTTP: Authentication username = 'xxxxxxxxxxxx' priv-level = 15 auth-type = aaa

Jul 23 12:34:48.923: AAA: parse name=tty5 idb type=-1 tty=-1

Jul 23 12:34:48.923: AAA: name=tty5 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=5 channel=0

Jul 23 12:34:48.923: AAA/MEMORY: create_user (0x80D514A8) user='' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII service=LOGIN priv=0

Jul 23 12:34:48.923: AAA/AUTHEN/START (3860340525): port='tty5' list='vtymethod_radius' action=LOGIN service=LOGIN

Jul 23 12:34:48.927: AAA/AUTHEN/START (3860340525): found list vtymethod_radius

Jul 23 12:34:48.927: AAA/AUTHEN/START (3860340525): Method=radius (radius)

Jul 23 12:34:48.927: AAA/AUTHEN (3860340525): status = GETUSER

Jul 23 12:34:48.927: AAA/AUTHEN/CONT (3860340525): continue_login (user='(undef)')

Jul 23 12:34:48.927: AAA/AUTHEN (3860340525): status = GETUSER

Jul 23 12:34:48.927: AAA/AUTHEN (3860340525): Method=radius (radius)

Jul 23 12:34:48.927: AAA/AUTHEN (3860340525): status = GETPASS

Jul 23 12:34:48.931: AAA/AUTHEN/CONT (3860340525): continue_login (user='xxxxxxxxxxxx')

Jul 23 12:34:48.931: AAA/AUTHEN (3860340525): status = GETPASS

Jul 23 12:34:48.931: AAA/AUTHEN (3860340525): Method=radius (radius)

Jul 23 12:34:48.931: RADIUS: ustruct sharecount=1

Jul 23 12:34:48.935: RADIUS: Initial Transmit tty5 id 180 172.18.1.26:1645, Access-Request, len 74

Jul 23 12:34:48.935: Attribute 4 6 0A020281

Jul 23 12:34:48.935: Attribute 5 6 00000005

Jul 23 12:34:48.935: Attribute 61 6 00000005

Jul 23 12:34:48.935: Attribute 1 5 6477611F

Jul 23 12:34:48.935: Attribute 31 13 3137322E

Jul 23 12:34:48.935: Attribute 2 18 9C378E51

Jul 23 12:34:51.047: RADIUS: Received from id 180 172.18.1.26:1645, Access-Accept, len 52

Jul 23 12:34:51.047: Attribute 18 21 50415353

Jul 23 12:34:51.047: Attribute 6 6 00000006

Jul 23 12:34:51.047: Attribute 1 5 64776164

Jul 23 12:34:51.051: RADIUS: saved authorization data for user 80D514A8 at 80D51DE0

Jul 23 12:34:51.051: AAA/AUTHEN (3860340525): status = PASS

,etc ...

When I use OTP configured on my ACE, there is problem to connect with http.

I launch my browser : http://10.2.2.129.

It asked me the login and password : I use first OTP : bab - 8038249352

I arrive at

Cisco Systems

Accessing Cisco WS-routerC-24 "router"

I click on Web Console - Manage the Switch through the web interface.

It asked me again the password : bab - 8038948533

I download one java object and it's asked me again OTP for the follow objects.

I insert again the next OTP and so...

After many OTP,I have got an http error on my browser (Java.lang.IndexOutOfBoundsException : Index 0 , Size 0) with version 1.4.0 java.

Follow the trace when it doesn't works :

3 REPLIES
New Member

Re: Configure HTTP Login Authentication use Radius/Ace Server Se

C2950#

Jul 23 12:02:32.823: HTTP: parsed uri '/homepage.htm'

Jul 23 12:02:32.823: HTTP: client version 1.0

Jul 23 12:02:32.823: HTTP: parsed extension Accept

Jul 23 12:02:32.827: HTTP: parsed extension Referer

Jul 23 12:02:32.827: HTTP: parsed extension Accept-Language

Jul 23 12:02:32.827: HTTP: parsed extension User-Agent

Jul 23 12:02:32.827: HTTP: parsed extension Authorization

Jul 23 12:02:32.827: HTTP: parsed authorization type Basic

Jul 23 12:02:32.827: HTTP: parsed extension Via

Jul 23 12:02:32.827: HTTP: parsed extension X-Forwarded-For

Jul 23 12:02:32.831: HTTP: parsed extension Host

Jul 23 12:02:32.831: HTTP: parsed extension Cache-Control

Jul 23 12:02:32.831: HTTP: parsed extension Connection

Jul 23 12:02:32.831: HTTP: Authentication for url '/homepage.htm' '/homepage.htm' level 15 privless '/homepage.htm'

Jul 23 12:02:32.831: HTTP: Authentication username = 'bab' priv-level = 15 auth-type = aaa

Jul 23 12:02:32.831: AAA: parse name=tty5 idb type=-1 tty=-1

Jul 23 12:02:32.831: AAA: name=tty5 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=5 channel=0

Jul 23 12:02:32.835: AAA/MEMORY: create_user (0x80E0C820) user='' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII serv

ice=LOGIN priv=0

Jul 23 12:02:32.835: AAA/AUTHEN/START (240300930): port='tty5' list='vtymethod_radius' action=LOGIN service=LOGIN

Jul 23 12:02:32.835: AAA/AUTHEN/START (240300930): found list vtymethod_radius

Jul 23 12:02:32.835: AAA/AUTHEN/START (240300930): Method=radius (radius)

Jul 23 12:02:32.835: AAA/AUTHEN (240300930): status = GETUSER

Jul 23 12:02:32.835: AAA/AUTHEN/CONT (240300930): continue_login (user='(undef)')

Jul 23 12:02:32.835: AAA/AUTHEN (240300930): status = GETUSER

Jul 23 12:02:32.839: AAA/AUTHEN (240300930): Method=radius (radius)

Jul 23 12:02:32.839: AAA/AUTHEN (240300930): status = GETPASS

Jul 23 12:02:32.839: AAA/AUTHEN/CONT (240300930): continue_login (user='bab')

Jul 23 12:02:32.839: AAA/AUTHEN (240300930): status = GETPASS

Jul 23 12:02:32.839: AAA/AUTHEN (240300930): Method=radius (radius)

Jul 23 12:02:32.839: RADIUS: ustruct sharecount=1

Jul 23 12:02:32.843: RADIUS: Initial Transmit tty5 id 157 172.18.1.26:1645, Access-Request, len 74

Jul 23 12:02:32.847: Attribute 4 6 0A020281

Jul 23 12:02:32.847: Attribute 5 6 00000005

Jul 23 12:02:32.847: Attribute 61 6 00000005

Jul 23 12:02:32.847: Attribute 1 5 6261621F

Jul 23 12:02:32.847: Attribute 31 13 3137322E

Jul 23 12:02:32.847: Attribute 2 18 C385E406

Jul 23 12:02:35.875: RADIUS: Received from id 157 172.18.1.26:1645, Access-Reject, len 37

Jul 23 12:02:35.875: Attribute 18 17 41636365

Jul 23 12:02:35.879: RADIUS: saved authorization data for user 80E0C820 at 0

Jul 23 12:02:35.879: AAA/AUTHEN (240300930): status = FAIL

Jul 23 12:02:35.879: HTTP: Authentication failed

Jul 23 12:02:35.883: HTTP: authorization rejected

Jul 23 12:02:35.883: AAA/MEMORY: free_user (0x80E0C820) user='bab' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII ser

vice=LOGIN priv=0

Jul 23 12:02:54.684: HTTP: parsed uri '/homepage.htm'

Jul 23 12:02:54.684: HTTP: client version 1.0

Jul 23 12:02:54.684: HTTP: parsed extension Accept

Jul 23 12:02:54.684: HTTP: parsed extension Referer

Jul 23 12:02:54.684: HTTP: parsed extension Accept-Language

Jul 23 12:02:54.684: HTTP: parsed extension User-Agent

Jul 23 12:02:54.684: HTTP: parsed extension Authorization

Jul 23 12:02:54.684: HTTP: parsed authorization type Basic

Jul 23 12:02:54.688: HTTP: parsed extension Via

Jul 23 12:02:54.688: HTTP: parsed extension X-Forwarded-For

Jul 23 12:02:54.688: HTTP: parsed extension Host

Jul 23 12:02:54.688: HTTP: parsed extension Cache-Control

Jul 23 12:02:54.688: HTTP: parsed extension Connection

Jul 23 12:02:54.688: HTTP: Authentication for url '/homepage.htm' '/homepage.htm' level 15 privless '/homepage.htm'

Jul 23 12:02:54.688: HTTP: Authentication username = 'bab' priv-level = 15 auth-type = aaa

Jul 23 12:02:54.692: AAA: parse name=tty5 idb type=-1 tty=-1

Jul 23 12:02:54.692: AAA: name=tty5 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=5 channel=0

Jul 23 12:02:54.692: AAA/MEMORY: create_user (0x80E0CA64) user='' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII serv

ice=LOGIN priv=0

Jul 23 12:02:54.692: AAA/AUTHEN/START (3621916037): port='tty5' list='vtymethod_radius' action=LOGIN service=LOGIN

Jul 23 12:02:54.692: AAA/AUTHEN/START (3621916037): found list vtymethod_radius

Jul 23 12:02:54.692: AAA/AUTHEN/START (3621916037): Method=radius (radius)

Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): status = GETUSER

Jul 23 12:02:54.696: AAA/AUTHEN/CONT (3621916037): continue_login (user='(undef)')

Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): status = GETUSER

Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): Method=radius (radius)

Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): status = GETPASS

Jul 23 12:02:54.696: AAA/AUTHEN/CONT (3621916037): continue_login (user='bab')

Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): status = GETPASS

Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): Method=radius (radius)

Jul 23 12:02:54.700: RADIUS: ustruct sharecount=1

Jul 23 12:02:54.700: RADIUS: Initial Transmit tty5 id 158 172.18.1.26:1645, Access-Request, len 74

Jul 23 12:02:54.704: Attribute 4 6 0A020281

Jul 23 12:02:54.704: Attribute 5 6 00000005

Jul 23 12:02:54.704: Attribute 61 6 00000005

Jul 23 12:02:54.704: Attribute 1 5 6261621F

Jul 23 12:02:54.704: Attribute 31 13 3137322E

Jul 23 12:02:54.704: Attribute 2 18 3246801A

Jul 23 12:02:57.840: RADIUS: Received from id 158 172.18.1.26:1645, Access-Accept, len 52

Jul 23 12:02:57.840: Attribute 18 21 50415353

Jul 23 12:02:57.840: Attribute 6 6 00000006

Jul 23 12:02:57.840: Attribute 1 5 62616264

Jul 23 12:02:57.844: RADIUS: saved authorization data for user 80E0CA64 at 80D52EAC

Jul 23 12:02:57.844: AAA/AUTHEN (3621916037): status = PASS

FAIL FAIL PASS FAIL FAIL PASS...

Remarques :

-> when I use hyperterminal (vty) , it's work very good in both cases (OTP and Static Password)

-> I have try with different types of running jave (1.3.1 - 1.4.0 same results).

-> I have try on many PCs (172.17.6.20 - 172.18.1.116) -> no more good results.

So my questions are :

-> Is it possible to configure Login Authentication HTTP with Radius / Ace SecurID Token OTP ?

-> If yes, why it doens't work ?

Thank You..

Silver

Re: Configure HTTP Login Authentication use Radius/Ace Server Se

Hello,

Unfortunatlely, web login whether its with the switch/router or PIX on PDM, one time password doesn't work due to multiple authentication requests, sorry!

Mynul

New Member

Re: Configure HTTP Login Authentication use Radius/Ace Server Se

Thank You for your answer.

496
Views
5
Helpful
3
Replies