Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

HTTP authentication via ACS TACACS+.

Hi.

I configure a router for tacacs+ access and the console and CLI work fine.

HTTP access continually prompts for password and I can never gain access via web.

I have tried the various cli combinations of IP HTTP AUTHENTICATION, but still does not seem to work with tacacs+.

Debug authentication and authorization are ok (PASS)!

Any suggestions??

Thanks.

Andrea.

  • AAA Identity and NAC
3 REPLIES
New Member

Re: HTTP authentication via ACS TACACS+.

Hi Andrea,

Make sure that you have privilege level 15, for your account, as telnet can work without it, but for http its a must.

You can configure it for Group, under whihc you have your user account or per user basis too.

Select group > Edit Settings > TACACS+ section

Check "Shell" and "Privilege level" and in box in front of privilege level, put number "15".

Also if you have configured enable authentication via TACACS+ ,amake sure under your user account you have selected "Use CiscoSecure..." option under TACACS+ enable password if you have your account configured on ACS, of select other as appropriate.

Let me know if it helps :)

I suppose you have "ip http authentiaction aaa" command configured.

New Member

Re: HTTP authentication via ACS TACACS+.

Thanks for your help.

Yes, I'm using "ip http authe aaa" and all settings seem to be ok.

Debug aaa authe/autho are ok: PASS for all, I believe!

May 22 10:30:18.014: TPLUS: Received authen response status PASS (2)

May 22 10:30:18.022: TPLUS: received authorization response for 0: PASS

Andrea.

New Member

Re: HTTP authentication via ACS TACACS+.

If you have, checked "shell", "privlege level" and set it to 15 and on user account you are using TACACS+ enable password, appropriately. Then I think you need to contact TAC, as you have set everything appropriately. In case its AP, then there's an option to cache username/password while authentication, as for HTTP access for AP, it requires username/password several times.

Rest seems to be okay...

Again make sure

-Shell is checked.

-Privilege level is checked and set to 15

-under user account, we are using TACACS+ enable password section appropriately (it should not be use seprate password with blank field)

245
Views
0
Helpful
3
Replies
This widget could not be displayed.