Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

AD Authentication for switch/router login

Not sure if this is the right forum for this or not.

I have sucessfully set up a switch to authenticate against an AD group for telnet login, then use an enable password shared by the three people in the group.

I'd like to setup ip http server the same way, but can't seem to get it to work. I used "ip http authentication aaa", but no dice, as I do not have a local aaa.

Any advice is greatly appreciated!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: AD Authentication for switch/router login

HTTP Authentication requires Level-15 privileges so the user needs to have this by default. You can achieve this by passing a Cisco-AV-Pair from the Radius Server to the IOS device. The Cisco-AV-Pair is sent as a string as part of the Authentication Accept, for Level-15 privilege this is:

shell:priv-lvl=15

Bear in mind that if you use the same authentication method for telnet or SSH then your uses will automatically be at Level-15 privilege level.

I use this with MS IAS and have two polices defined that check for Windows Group Membership, one Group have Level-15 access, the others don't.

HTH

Andy

14 REPLIES
Gold

Re: AD Authentication for switch/router login

post your current AAA config sections.

Cisco Employee

Re: AD Authentication for switch/router login

Please paste the device config. Also let us know where is the radius server located.

-amit singh

New Member

Re: AD Authentication for switch/router login

Here we go.

Thanks for the help.

Re: AD Authentication for switch/router login

New Member

Re: AD Authentication for switch/router login

OK, looks good. I am going to make a couple of assumptions here:

I have updated the 3560 I'm using for test to the latest IOS available for it (12.2.25-SEE4)

so I am going to follow the "HTTP V1.1 Server - Before Cisco Bug ID CSCeb82510"

and do this:

aaa new-model

aaa authentication login CONSOLEandHTTP radius local

aaa authorization exec CONSOLEandHTTP radius local

!

ip http authentication aaa

!

line con 0

login authentication CONSOLEandHTTP

authorization exec CONSOLEandHTTP

Where "CONSOLEandHTTP" is replaced by my TRAuthList.

Does this sound correct? Fortunately this is a test switch sitting in my office, so I'm unconcerned if I have to wipe it. :)

Thanks

New Member

Re: AD Authentication for switch/router login

OK, I tried what I said above.

I'm still failing on http, but think I'm very very close. I attached the debug I did on ip http, and an updated config.

Many thanks for all the help on what is really a not-very-important issue, but helps me enormously locally.

Re: AD Authentication for switch/router login

HTTP Authentication requires Level-15 privileges so the user needs to have this by default. You can achieve this by passing a Cisco-AV-Pair from the Radius Server to the IOS device. The Cisco-AV-Pair is sent as a string as part of the Authentication Accept, for Level-15 privilege this is:

shell:priv-lvl=15

Bear in mind that if you use the same authentication method for telnet or SSH then your uses will automatically be at Level-15 privilege level.

I use this with MS IAS and have two polices defined that check for Windows Group Membership, one Group have Level-15 access, the others don't.

HTH

Andy

New Member

Re: AD Authentication for switch/router login

ding ding ding.

That did the trick. I almost thought it hadn't, then realized I had gone back to ip http authentication enable. Changed it back to triple-a, and bingo.

Ultimately my config turned out as attached.

Very helpful.

I'd be curious how you have your groups and access levels configured, as I would still like to be able to give the help-desk folks the ability to check port configs for vlan access, speed/duplex settings, etc.

Thanks very much to all for your help.

Re: AD Authentication for switch/router login

I don't think it's possible to have different privilege levels with HTTP Authentication. You could probably do it with AAA Authorisation but you would need ACS and then command-sets associated with users/groups. I have never configured this though, however it looks like there are commands available in IOS (for a 3550 I have at least) for this:

switch(config)#ip http authentication aaa ?

command-authorization Set method list for command authorization

exec-authorization Set method list for exec authorization

login-authentication Set method list for login authentication

Andy

New Member

Re: AD Authentication for switch/router login

No, I don't think with HTTP there's any choice. But an ability to at least get them telnet access to basic information would be good.

I've looked at those commands some, but haven't played with them yet.

Re: AD Authentication for switch/router login

Hi,

If you are looking for an ablity to make user issue some specific commands then you need to use tacacs instead of radius.

With tacacs /acs you have control what commands can any user issue and will give you total control on users.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/c.htm#wp697557

Regards,

~JG

New Member

Re: AD Authentication for switch/router login

How did you configure the shell:priv-lvl=15 to IAS?

Thanks

Re: AD Authentication for switch/router login

Hi,

Check out this attachment. It explains all about your query.

Regards,

~JG

New Member

Re: AD Authentication for switch/router login

Wow. Cal, that is a really nice guide.

Once the fine folks here pointed me in the right direction, I went to IAS, highlighted remote access policies.

rightclicked my policy (in my case, ciscoauth) and hit properties.

Went to edit profile, then the "advanced" tab.

Add/ Cisco-AV-Pair, and under attribute values hit add, and shell:priv-lvl=15.

HTH

200
Views
0
Helpful
14
Replies
CreatePlease to create content