Solved: HTTP authentication

Joseph.Rehling · ‎03-20-2012

I am trying to get AAA authentication for HTTP to use radius, and seem to be having problems with setting the priviledge level. It works fine with SSH login, but doesn't work with web management. The model is a WS-CBS3130X-S-F running 12.2(58)SE1 with http version 1.001.002...

Config is as follows:

aaa new-model

aaa authentication login VTYSandHTTP group radius local

aaa authorization exec VTYSandHTTP group radius local

ip http server

ip http authentication aaa login-authentication VTYSandHTTP

ip http authentication aaa exec-authorization VTYSandHTTP

ip http secure-server

radius server <Server Name>

address ipv4 <IP of Server> auth-port 1645 acct-port 1646

key <Key>

line vty 0 4

authorization exec VTYSandHTTP

login authentication VTYSandHTTP

transport input ssh

line vty 5 15

authorization exec VTYSandHTTP

login authentication VTYSandHTTP

transport input ssh

This is what I get when I try to log on to HTTP

HTTP AAA Login-Authentication List name: VTYSandHTTP

HTTP: Authentication failed for level 15

Dev Vishwakarma · ‎03-22-2012

Joseph,

Your configuration is absolutely correct. However, you are hitting a bug on 12.2(58)SE train,

CSCtq55319 ip http authentication aaa does not work

duplicated by

CSCtq94595 HTTP AAA Authentication does not work any more after upgrade to 12.2.58S

In order to fix this, please upgrade to 15.0(1)SE1.

Note: You need to also ensure the RADIUS server is sending the "shell:priv-lvl=15" in cisco-av-pair for this to work.

Regards,

Dev

View solution in original post

Dev Vishwakarma · ‎03-22-2012

Joseph,

Your configuration is absolutely correct. However, you are hitting a bug on 12.2(58)SE train,

CSCtq55319 ip http authentication aaa does not work

duplicated by

CSCtq94595 HTTP AAA Authentication does not work any more after upgrade to 12.2.58S

In order to fix this, please upgrade to 15.0(1)SE1.

Note: You need to also ensure the RADIUS server is sending the "shell:priv-lvl=15" in cisco-av-pair for this to work.

Regards,

Dev

Joseph.Rehling · ‎03-22-2012

Really appreciate the information. Calling support since the 3130 does not show a anything other than the 12.2 train. It does not look like 15.0(1)SE1 is released. If it is, it is not available to me to be downloaded.

Joseph.Rehling · ‎03-26-2012

A couple of additional notes. At this time, 15.0 (any flavor) is not released for the 3130 switches. However, I downloaded 12.2(55)SE5, which was released a month or two ago, and it appears to be working for this issue. The only issue I would note is that 12.2(58)SE1 wants newer commands that will not work if you roll back. You need to make sure you know a local account to get back in, or you can use the legacy commands with 12.2(58)SE1 that will work with 12.2(55)SE5 as well.

For example:

The following will not work on 12.2(55)SE5

radius server

address ipv4 auth-port 1645 acct-port 1646

key

The following will work on both.

radius-server auth-port 1645 acct-port 1646 key

You get an error on 12.2.(58)SE1 telling you that this command is depreciated, but it works fine for both 12.2(58)SE1 and 12.2(55)SE5