Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

AAA on WebUI 4710

I have AAA configured and working on an ACE 4710 appliance for SSH. The web interface only works with the local database. I don't see anything in the security guide about the web interface (only states telnet and ssh). Anyone else seeing this?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: AAA on WebUI 4710

Hi Collin,

It does work - I have two in our lab that I've set up for AAA and it works fine.

Check this out:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/UGadmin.html#wp1244296

I only have one local user (admin) and all others on ACS Server, using this test ACE config:

tacacs-server host 1.2.3.4 key cisco

aaa group server tacacs+ TACACS

server 1.2.3.4

aaa authentication login default group TACACS local

aaa authentication login console none

aaa accounting default group TACACS local

aaa authentication login error-enable

ACS Server needs some special config though, which is detailed here:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html#wp1411787

HTH

Andrew.

5 REPLIES

Re: AAA on WebUI 4710

Hi Collin,

It does work - I have two in our lab that I've set up for AAA and it works fine.

Check this out:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/device_manager/guide/UGadmin.html#wp1244296

I only have one local user (admin) and all others on ACS Server, using this test ACE config:

tacacs-server host 1.2.3.4 key cisco

aaa group server tacacs+ TACACS

server 1.2.3.4

aaa authentication login default group TACACS local

aaa authentication login console none

aaa accounting default group TACACS local

aaa authentication login error-enable

ACS Server needs some special config though, which is detailed here:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html#wp1411787

HTH

Andrew.

Re: AAA on WebUI 4710

Andrew-

I had the correct config, except for the following line-

aaa accounting default group TACACS local

I don't understand how accounting would enable the WebUI AAA access, but it works now. Thanks.

Two ACEs in your lab? Lucky dog!

Re: AAA on WebUI 4710

that wouldn't be the first bit of CLI weirdness - I need two ACE's to validate that the FT works and I've yet to have an explanation of why I need to change the native VLAN to get FT working....

Andrew.

Re: AAA on WebUI 4710

I had some trouble with FT as well and opened a case up. I was configuring FT as below-

interface gigabitEthernet 1/3

description FT Access Port

speed 100M

duplex FULL

ft-port vlan 200

no shutdown

I was receiving a ton of errors on my switch ports. I hard set everything, auto everything, and still a bunch of errors. I then tried to trunk on my switch ports and they came up just fine. In the WebUI I could not set the port to trunk or switch (both grayed out) and I got an error stating it was an FT port and you can't configure it. After some more troubleshooting, we found out that the ft-port command forces the port in trunk mode (TAC wanted the port in switchport mode). By removing the ft-port command, you can set the port to switchport and set it to whatever vlan you want. Here is my current working port config-

interface gigabitEthernet 1/3

description FT Access Port

speed 100M

duplex FULL

switchport access vlan 200

no shutdown

When I asked for an explanation, they stated that the fact about the ft-port forces it to trunk and that option is there in case you want to trunk your FT traffic with your data traffic!

Re: AAA on WebUI 4710

Exactly my issue too, which begs the question of what the "ft-port" command actually does if you don't need it to get FT working...

Andrew.

132
Views
0
Helpful
5
Replies