Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1485
Views
0
Helpful
8
Replies

TACACS on HTTP/S - not working?

Greg Dent
Level 1
Level 1

‎12-07-2017 03:42 AM - edited ‎03-08-2019 01:01 PM

Hi all - having difficulty in getting TACACS to authorise logins from HTTP.

 

I have configured TACACS using the new commands, which has worked fine for CLI logins since day 1. I assumed that in order to enable the same authentication methods for the HTTP server, I would simply have to configure the command "ip http authentication aaa" when configuring the HTTP server. However, this hasnt worked and in fact doesnt allow me to login to the switch at all via the HTTP page, unless I remove that config line, so that it defaults back to enable login.

 

Here is my TACACS and HTTP config:

 

aaa new-model
aaa group server tacacs+ llacs
 server name llacs-server
 ip tacacs source-interface Vlan10
!
aaa authentication login default group llacs local
aaa authentication enable default group llacs enable none
aaa accounting commands 5 default start-stop group llacs
aaa session-id common
!
tacacs server llacs-server
 address ipv4 1x.x.x.x
 key tacacskey

!
ip http server
ip http authentication aaa
ip http secure-server

When trying to login via the HTTP interface, nothing works, unless I remove the "ip http authentication aaa" line.

 

How come it works fine for CLI, but doesnt for HTTP? Doesnt make sense!

 

Any help appreciated.

 

Thanks :)

Labels:
0 Helpful
8 Replies 8

Georg Pauwen
VIP
VIP

‎12-07-2017 05:19 AM

Hello,

 

which IOS version are you running ? There is a bug in the older 12.2(58)SE and 12.2.58S, which has been fixed in 15.0(1)SE1.

 

Either way, is this the full config ? I think you also need the following:

 

ip http authentication aaa login-authentication default

ip http authentication aaa exec-authorization default

 

0 Helpful

Greg Dent
Level 1
Level 1
In response to Georg Pauwen

‎12-07-2017 05:40 AM - edited ‎12-07-2017 05:40 AM

It's an almost brand new switch - running 2960-X version 15.2(2)E6.

 

I added those commands - thought I may have been missing something. However, they havent helped! Still unable to login with the http authentication configured.

 

Interestingly, IOS took the command 'ip http authentication aaa login-authentication default' without difficulty, but when issuing the command 'ip http authentication aaa exec-authorization default' it gave the following message:

 

"Warning: Authorization list "default" is not defined for EXEC."

Not entirely sure what that means!

 

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to Greg Dent

‎12-07-2017 05:53 AM

Hello,

 

the commands:

 

ip http authentication aaa exec-authorization default

aaa authorization exec default group llacs local

 

go together. Try and add the 'aaa authorization exec default group llacs local' line first and then the 'ip http authentication aaa exec-authorization default'...

0 Helpful

Greg Dent
Level 1
Level 1
In response to Georg Pauwen

‎12-07-2017 07:41 AM

I'm a little confused....

 

So I have this command already configured:

aaa authorization exec default group llacs local

 

And then I configured this:

ip http authentication aaa exec-authorization default

 

It doesnt work.

 

Are you saying I need to add them in a different order? That doesnt sound right to me.... AAA/TACACS is working fine for the CLI, so why would it matter what order I add the HTTP commands in?

0 Helpful

Georg Pauwen
VIP
VIP
In response to Greg Dent

‎12-07-2017 07:53 AM

Hello,

 

what do you have configured now, after adding my suggestions ?

 

That said, are you trying http or https ?

0 Helpful

Greg Dent
Level 1
Level 1
In response to Georg Pauwen

‎12-07-2017 08:21 AM - edited ‎12-07-2017 08:27 AM

I've tried both HTTP and HTTPS - same issue.

 

Current config is this:

 

aaa new-model
aaa group server tacacs+ llacs
 server name llacs-server
 ip tacacs source-interface Vlan10
!
aaa authentication login default group llacs local
aaa authentication enable default group llacs enable none
aaa accounting commands 5 default start-stop group llacs
aaa session-id common
!
aaa group server tacacs+ llacs
 server name llacs-server
 ip tacacs source-interface Vlan10
!
tacacs server llacs-server
 address ipv4 x.x.x.x
 key tacacskey
!
ip http server
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default
ip http secure-server

 

0 Helpful

Greg Dent
Level 1
Level 1
In response to Greg Dent

‎12-07-2017 08:32 AM

Just realised your post said to config the AAA authorization commands - doh!

 

I've added that config as below, but still not working :(

 

aaa authorization exec default group llacs local

0 Helpful

Georg Pauwen
VIP
VIP
In response to Greg Dent

‎12-07-2017 08:58 AM

Hello,

 

something is missing. Can you post the full configuration of the switch ? Also, what is the output of 'show crypto key' ? You might want to zeroize whatever key is in there and create a new one...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card