07-23-2003 02:20 AM - edited 03-10-2019 07:25 AM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
Hello,
I want to configure an http login authentication on 2950 or router using Radius and ACE Server SecurID Tokens with OTP (One Time Password).
2950 Configuration :
router#sh run
version 12.1
hostname router
aaa new-model
aaa authentication login default group radius
aaa authentication login vtymethod_radius group radius
aaa authorization exec default group radius
aaa authorization exec vtymethod_radius group radius
enable password xxxxxxxxx
!
interface Vlan1
ip address 10.2.2.129 255.255.0.0
!
ip http server
ip http authentication aaa
!
radius-server host 172.18.1.26 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key xxxxxxxxxx
!
line con 0
stopbits 1
line vty 0
exec-timeout 0 0
privilege level 15
password xxxxxxxxxxx
line vty 1 4
exec-timeout 0 0
privilege level 15
password xxxxxxxxxx
authorization exec vtymethod_radius
login authentication vtymethod_radius
line vty 5 15
!
end
router#
My ACE and radius Server has IP : 172.18.1.25.
When I use static password configured on my ACE, there is no problem to connect with http.
I launch my browser : http://10.2.2.129.
It asked me the login and password : I use static password : xxxxxxxxxxxx - 1234
I arrive at :
Cisco Systems
Accessing Cisco WS-routerC-24 "router"
I click on Web Console - Manage the Switch through the web interface.
It asked again the password : xxxxxxxxxxxx - 1234
And that's OK.
Follow the trace when it's works (You can remark that between 2950 et Radius/ACE Server there is
for all download objects a change of the static password)
router#
Jul 23 12:34:44.991: AAA/MEMORY: create_user (0x80CCE1EC) user='' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII service=LOGIN priv=0
Jul 23 12:34:44.991: AAA/AUTHEN/START (2836047894): port='tty5' list='vtymethod_radius' action=LOGIN service=LOGIN
Jul 23 12:34:44.995: AAA/AUTHEN/START (2836047894): found list vtymethod_radius
Jul 23 12:34:44.995: AAA/AUTHEN/START (2836047894): Method=radius (radius)
Jul 23 12:34:44.995: AAA/AUTHEN (2836047894): status = GETUSER
Jul 23 12:34:44.995: AAA/AUTHEN/CONT (2836047894): continue_login (user='(undef)')
Jul 23 12:34:44.995: AAA/AUTHEN (2836047894): status = GETUSER
Jul 23 12:34:44.995: AAA/AUTHEN (2836047894): Method=radius (radius)
Jul 23 12:34:44.995: AAA/AUTHEN (2836047894): status = GETPASS
Jul 23 12:34:44.999: AAA/AUTHEN/CONT (2836047894): continue_login (user='xxxxxxxxxxxx')
Jul 23 12:34:44.999: AAA/AUTHEN (2836047894): status = GETPASS
Jul 23 12:34:44.999: AAA/AUTHEN (2836047894): Method=radius (radius)
Jul 23 12:34:44.999: RADIUS: ustruct sharecount=1
Jul 23 12:34:45.003: RADIUS: Initial Transmit tty5 id 179 172.18.1.26:1645, Access-Request, len 74
Jul 23 12:34:45.003: Attribute 4 6 0A020281
Jul 23 12:34:45.003: Attribute 5 6 00000005
Jul 23 12:34:45.003: Attribute 61 6 00000005
Jul 23 12:34:45.003: Attribute 1 5 6477611F
Jul 23 12:34:45.003: Attribute 31 13 3137322E
Jul 23 12:34:45.003: Attribute 2 18 39852A89
Jul 23 12:34:47.107: RADIUS: Received from id 179 172.18.1.26:1645, Access-Accept, len 52
Jul 23 12:34:47.107: Attribute 18 21 50415353
Jul 23 12:34:47.107: Attribute 6 6 00000006
Jul 23 12:34:47.107: Attribute 1 5 64776164
Jul 23 12:34:47.107: RADIUS: saved authorization data for user 80CCE1EC at 80CCE358
Jul 23 12:34:47.111: AAA/AUTHEN (2836047894): status = PASS
Jul 23 12:34:47.111: tty5 AAA/AUTHOR/HTTP (2755968236): Port='tty5' list='vtymethod_radius' service=EXEC
Jul 23 12:34:47.111: AAA/AUTHOR/HTTP: tty5 (2755968236) user='xxxxxxxxxxxx'
Jul 23 12:34:47.111: tty5 AAA/AUTHOR/HTTP (2755968236): send AV service=shell
Jul 23 12:34:47.111: tty5 AAA/AUTHOR/HTTP (2755968236): send AV cmd*
Jul 23 12:34:47.111: tty5 AAA/AUTHOR/HTTP (2755968236): found list "vtymethod_radius"
Jul 23 12:34:47.111: tty5 AAA/AUTHOR/HTTP (2755968236): Method=radius (radius)
Jul 23 12:34:47.115: AAA/AUTHOR (2755968236): Post authorization status = PASS_ADD
Jul 23 12:34:47.115: HTTP: received GET ''
Jul 23 12:34:47.159: AAA/MEMORY: free_user (0x80CCE1EC) user='xxxxxxxxxxxx' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII service=LOGIN priv=0
Jul 23 12:34:48.915: HTTP: parsed uri '/homepage.htm'
Jul 23 12:34:48.915: HTTP: client version 1.0
Jul 23 12:34:48.915: HTTP: parsed extension Accept
Jul 23 12:34:48.915: HTTP: parsed extension Referer
Jul 23 12:34:48.915: HTTP: parsed extension Accept-Language
Jul 23 12:34:48.915: HTTP: parsed extension User-Agent
Jul 23 12:34:48.919: HTTP: parsed extension Authorization
Jul 23 12:34:48.919: HTTP: parsed authorization type Basic
Jul 23 12:34:48.919: HTTP: parsed extension Via
Jul 23 12:34:48.919: HTTP: parsed extension X-Forwarded-For
Jul 23 12:34:48.919: HTTP: parsed extension Host
Jul 23 12:34:48.919: HTTP: parsed extension Cache-Control
Jul 23 12:34:48.919: HTTP: parsed extension Connection
Jul 23 12:34:48.923: HTTP: Authentication for url '/homepage.htm' '/homepage.htm' level 15 privless '/homepage.htm'
Jul 23 12:34:48.923: HTTP: Authentication username = 'xxxxxxxxxxxx' priv-level = 15 auth-type = aaa
Jul 23 12:34:48.923: AAA: parse name=tty5 idb type=-1 tty=-1
Jul 23 12:34:48.923: AAA: name=tty5 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=5 channel=0
Jul 23 12:34:48.923: AAA/MEMORY: create_user (0x80D514A8) user='' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII service=LOGIN priv=0
Jul 23 12:34:48.923: AAA/AUTHEN/START (3860340525): port='tty5' list='vtymethod_radius' action=LOGIN service=LOGIN
Jul 23 12:34:48.927: AAA/AUTHEN/START (3860340525): found list vtymethod_radius
Jul 23 12:34:48.927: AAA/AUTHEN/START (3860340525): Method=radius (radius)
Jul 23 12:34:48.927: AAA/AUTHEN (3860340525): status = GETUSER
Jul 23 12:34:48.927: AAA/AUTHEN/CONT (3860340525): continue_login (user='(undef)')
Jul 23 12:34:48.927: AAA/AUTHEN (3860340525): status = GETUSER
Jul 23 12:34:48.927: AAA/AUTHEN (3860340525): Method=radius (radius)
Jul 23 12:34:48.927: AAA/AUTHEN (3860340525): status = GETPASS
Jul 23 12:34:48.931: AAA/AUTHEN/CONT (3860340525): continue_login (user='xxxxxxxxxxxx')
Jul 23 12:34:48.931: AAA/AUTHEN (3860340525): status = GETPASS
Jul 23 12:34:48.931: AAA/AUTHEN (3860340525): Method=radius (radius)
Jul 23 12:34:48.931: RADIUS: ustruct sharecount=1
Jul 23 12:34:48.935: RADIUS: Initial Transmit tty5 id 180 172.18.1.26:1645, Access-Request, len 74
Jul 23 12:34:48.935: Attribute 4 6 0A020281
Jul 23 12:34:48.935: Attribute 5 6 00000005
Jul 23 12:34:48.935: Attribute 61 6 00000005
Jul 23 12:34:48.935: Attribute 1 5 6477611F
Jul 23 12:34:48.935: Attribute 31 13 3137322E
Jul 23 12:34:48.935: Attribute 2 18 9C378E51
Jul 23 12:34:51.047: RADIUS: Received from id 180 172.18.1.26:1645, Access-Accept, len 52
Jul 23 12:34:51.047: Attribute 18 21 50415353
Jul 23 12:34:51.047: Attribute 6 6 00000006
Jul 23 12:34:51.047: Attribute 1 5 64776164
Jul 23 12:34:51.051: RADIUS: saved authorization data for user 80D514A8 at 80D51DE0
Jul 23 12:34:51.051: AAA/AUTHEN (3860340525): status = PASS
,etc ...
When I use OTP configured on my ACE, there is problem to connect with http.
I launch my browser : http://10.2.2.129.
It asked me the login and password : I use first OTP : bab - 8038249352
I arrive at
Cisco Systems
Accessing Cisco WS-routerC-24 "router"
I click on Web Console - Manage the Switch through the web interface.
It asked me again the password : bab - 8038948533
I download one java object and it's asked me again OTP for the follow objects.
I insert again the next OTP and so...
After many OTP,I have got an http error on my browser (Java.lang.IndexOutOfBoundsException : Index 0 , Size 0) with version 1.4.0 java.
Follow the trace when it doesn't works :
07-23-2003 02:21 AM
C2950#
Jul 23 12:02:32.823: HTTP: parsed uri '/homepage.htm'
Jul 23 12:02:32.823: HTTP: client version 1.0
Jul 23 12:02:32.823: HTTP: parsed extension Accept
Jul 23 12:02:32.827: HTTP: parsed extension Referer
Jul 23 12:02:32.827: HTTP: parsed extension Accept-Language
Jul 23 12:02:32.827: HTTP: parsed extension User-Agent
Jul 23 12:02:32.827: HTTP: parsed extension Authorization
Jul 23 12:02:32.827: HTTP: parsed authorization type Basic
Jul 23 12:02:32.827: HTTP: parsed extension Via
Jul 23 12:02:32.827: HTTP: parsed extension X-Forwarded-For
Jul 23 12:02:32.831: HTTP: parsed extension Host
Jul 23 12:02:32.831: HTTP: parsed extension Cache-Control
Jul 23 12:02:32.831: HTTP: parsed extension Connection
Jul 23 12:02:32.831: HTTP: Authentication for url '/homepage.htm' '/homepage.htm' level 15 privless '/homepage.htm'
Jul 23 12:02:32.831: HTTP: Authentication username = 'bab' priv-level = 15 auth-type = aaa
Jul 23 12:02:32.831: AAA: parse name=tty5 idb type=-1 tty=-1
Jul 23 12:02:32.831: AAA: name=tty5 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=5 channel=0
Jul 23 12:02:32.835: AAA/MEMORY: create_user (0x80E0C820) user='' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII serv
ice=LOGIN priv=0
Jul 23 12:02:32.835: AAA/AUTHEN/START (240300930): port='tty5' list='vtymethod_radius' action=LOGIN service=LOGIN
Jul 23 12:02:32.835: AAA/AUTHEN/START (240300930): found list vtymethod_radius
Jul 23 12:02:32.835: AAA/AUTHEN/START (240300930): Method=radius (radius)
Jul 23 12:02:32.835: AAA/AUTHEN (240300930): status = GETUSER
Jul 23 12:02:32.835: AAA/AUTHEN/CONT (240300930): continue_login (user='(undef)')
Jul 23 12:02:32.835: AAA/AUTHEN (240300930): status = GETUSER
Jul 23 12:02:32.839: AAA/AUTHEN (240300930): Method=radius (radius)
Jul 23 12:02:32.839: AAA/AUTHEN (240300930): status = GETPASS
Jul 23 12:02:32.839: AAA/AUTHEN/CONT (240300930): continue_login (user='bab')
Jul 23 12:02:32.839: AAA/AUTHEN (240300930): status = GETPASS
Jul 23 12:02:32.839: AAA/AUTHEN (240300930): Method=radius (radius)
Jul 23 12:02:32.839: RADIUS: ustruct sharecount=1
Jul 23 12:02:32.843: RADIUS: Initial Transmit tty5 id 157 172.18.1.26:1645, Access-Request, len 74
Jul 23 12:02:32.847: Attribute 4 6 0A020281
Jul 23 12:02:32.847: Attribute 5 6 00000005
Jul 23 12:02:32.847: Attribute 61 6 00000005
Jul 23 12:02:32.847: Attribute 1 5 6261621F
Jul 23 12:02:32.847: Attribute 31 13 3137322E
Jul 23 12:02:32.847: Attribute 2 18 C385E406
Jul 23 12:02:35.875: RADIUS: Received from id 157 172.18.1.26:1645, Access-Reject, len 37
Jul 23 12:02:35.875: Attribute 18 17 41636365
Jul 23 12:02:35.879: RADIUS: saved authorization data for user 80E0C820 at 0
Jul 23 12:02:35.879: AAA/AUTHEN (240300930): status = FAIL
Jul 23 12:02:35.879: HTTP: Authentication failed
Jul 23 12:02:35.883: HTTP: authorization rejected
Jul 23 12:02:35.883: AAA/MEMORY: free_user (0x80E0C820) user='bab' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII ser
vice=LOGIN priv=0
Jul 23 12:02:54.684: HTTP: parsed uri '/homepage.htm'
Jul 23 12:02:54.684: HTTP: client version 1.0
Jul 23 12:02:54.684: HTTP: parsed extension Accept
Jul 23 12:02:54.684: HTTP: parsed extension Referer
Jul 23 12:02:54.684: HTTP: parsed extension Accept-Language
Jul 23 12:02:54.684: HTTP: parsed extension User-Agent
Jul 23 12:02:54.684: HTTP: parsed extension Authorization
Jul 23 12:02:54.684: HTTP: parsed authorization type Basic
Jul 23 12:02:54.688: HTTP: parsed extension Via
Jul 23 12:02:54.688: HTTP: parsed extension X-Forwarded-For
Jul 23 12:02:54.688: HTTP: parsed extension Host
Jul 23 12:02:54.688: HTTP: parsed extension Cache-Control
Jul 23 12:02:54.688: HTTP: parsed extension Connection
Jul 23 12:02:54.688: HTTP: Authentication for url '/homepage.htm' '/homepage.htm' level 15 privless '/homepage.htm'
Jul 23 12:02:54.688: HTTP: Authentication username = 'bab' priv-level = 15 auth-type = aaa
Jul 23 12:02:54.692: AAA: parse name=tty5 idb type=-1 tty=-1
Jul 23 12:02:54.692: AAA: name=tty5 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=5 channel=0
Jul 23 12:02:54.692: AAA/MEMORY: create_user (0x80E0CA64) user='' ruser='' port='tty5' rem_addr='172.17.6.70' authen_type=ASCII serv
ice=LOGIN priv=0
Jul 23 12:02:54.692: AAA/AUTHEN/START (3621916037): port='tty5' list='vtymethod_radius' action=LOGIN service=LOGIN
Jul 23 12:02:54.692: AAA/AUTHEN/START (3621916037): found list vtymethod_radius
Jul 23 12:02:54.692: AAA/AUTHEN/START (3621916037): Method=radius (radius)
Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): status = GETUSER
Jul 23 12:02:54.696: AAA/AUTHEN/CONT (3621916037): continue_login (user='(undef)')
Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): status = GETUSER
Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): Method=radius (radius)
Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): status = GETPASS
Jul 23 12:02:54.696: AAA/AUTHEN/CONT (3621916037): continue_login (user='bab')
Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): status = GETPASS
Jul 23 12:02:54.696: AAA/AUTHEN (3621916037): Method=radius (radius)
Jul 23 12:02:54.700: RADIUS: ustruct sharecount=1
Jul 23 12:02:54.700: RADIUS: Initial Transmit tty5 id 158 172.18.1.26:1645, Access-Request, len 74
Jul 23 12:02:54.704: Attribute 4 6 0A020281
Jul 23 12:02:54.704: Attribute 5 6 00000005
Jul 23 12:02:54.704: Attribute 61 6 00000005
Jul 23 12:02:54.704: Attribute 1 5 6261621F
Jul 23 12:02:54.704: Attribute 31 13 3137322E
Jul 23 12:02:54.704: Attribute 2 18 3246801A
Jul 23 12:02:57.840: RADIUS: Received from id 158 172.18.1.26:1645, Access-Accept, len 52
Jul 23 12:02:57.840: Attribute 18 21 50415353
Jul 23 12:02:57.840: Attribute 6 6 00000006
Jul 23 12:02:57.840: Attribute 1 5 62616264
Jul 23 12:02:57.844: RADIUS: saved authorization data for user 80E0CA64 at 80D52EAC
Jul 23 12:02:57.844: AAA/AUTHEN (3621916037): status = PASS
FAIL FAIL PASS FAIL FAIL PASS...
Remarques :
-> when I use hyperterminal (vty) , it's work very good in both cases (OTP and Static Password)
-> I have try with different types of running jave (1.3.1 - 1.4.0 same results).
-> I have try on many PCs (172.17.6.20 - 172.18.1.116) -> no more good results.
So my questions are :
-> Is it possible to configure Login Authentication HTTP with Radius / Ace SecurID Token OTP ?
-> If yes, why it doens't work ?
Thank You..
07-24-2003 02:15 PM
Hello,
Unfortunatlely, web login whether its with the switch/router or PIX on PDM, one time password doesn't work due to multiple authentication requests, sorry!
Mynul
07-28-2003 01:57 AM
Thank You for your answer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide