Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community Member

TACACS on HTTP/S - not working?

Hi all - having difficulty in getting TACACS to authorise logins from HTTP.

 

I have configured TACACS using the new commands, which has worked fine for CLI logins since day 1. I assumed that in order to enable the same authentication methods for the HTTP server, I would simply have to configure the command "ip http authentication aaa" when configuring the HTTP server. However, this hasnt worked and in fact doesnt allow me to login to the switch at all via the HTTP page, unless I remove that config line, so that it defaults back to enable login.

 

Here is my TACACS and HTTP config:

 

aaa new-model
aaa group server tacacs+ llacs
 server name llacs-server
 ip tacacs source-interface Vlan10
!
aaa authentication login default group llacs local
aaa authentication enable default group llacs enable none
aaa accounting commands 5 default start-stop group llacs
aaa session-id common
!
tacacs server llacs-server
 address ipv4 1x.x.x.x
 key tacacskey

!
ip http server
ip http authentication aaa
ip http secure-server

When trying to login via the HTTP interface, nothing works, unless I remove the "ip http authentication aaa" line.

 

How come it works fine for CLI, but doesnt for HTTP? Doesnt make sense!

 

Any help appreciated.

 

Thanks :)

8 REPLIES
VIP Purple

Re: TACACS on HTTP/S - not working?

Hello,

 

which IOS version are you running ? There is a bug in the older 12.2(58)SE and 12.2.58S, which has been fixed in 15.0(1)SE1.

 

Either way, is this the full config ? I think you also need the following:

 

ip http authentication aaa login-authentication default

ip http authentication aaa exec-authorization default

 

Community Member

Re: TACACS on HTTP/S - not working?

It's an almost brand new switch - running 2960-X version 15.2(2)E6.

 

I added those commands - thought I may have been missing something. However, they havent helped! Still unable to login with the http authentication configured.

 

Interestingly, IOS took the command 'ip http authentication aaa login-authentication default' without difficulty, but when issuing the command 'ip http authentication aaa exec-authorization default' it gave the following message:

 

"Warning: Authorization list "default" is not defined for EXEC."

Not entirely sure what that means!

 

 

VIP Purple

Re: TACACS on HTTP/S - not working?

Hello,

 

the commands:

 

ip http authentication aaa exec-authorization default

aaa authorization exec default group llacs local

 

go together. Try and add the 'aaa authorization exec default group llacs local' line first and then the 'ip http authentication aaa exec-authorization default'...

Community Member

Re: TACACS on HTTP/S - not working?

I'm a little confused....

 

So I have this command already configured:

aaa authorization exec default group llacs local

 

And then I configured this:

ip http authentication aaa exec-authorization default

 

It doesnt work.

 

Are you saying I need to add them in a different order? That doesnt sound right to me.... AAA/TACACS is working fine for the CLI, so why would it matter what order I add the HTTP commands in?

VIP Purple

Re: TACACS on HTTP/S - not working?

Hello,

 

what do you have configured now, after adding my suggestions ?

 

That said, are you trying http or https ?

Community Member

Re: TACACS on HTTP/S - not working?

I've tried both HTTP and HTTPS - same issue.

 

Current config is this:

 

aaa new-model
aaa group server tacacs+ llacs
 server name llacs-server
 ip tacacs source-interface Vlan10
!
aaa authentication login default group llacs local
aaa authentication enable default group llacs enable none
aaa accounting commands 5 default start-stop group llacs
aaa session-id common
!
aaa group server tacacs+ llacs
 server name llacs-server
 ip tacacs source-interface Vlan10
!
tacacs server llacs-server
 address ipv4 x.x.x.x
 key tacacskey
!
ip http server
ip http authentication aaa login-authentication default
ip http authentication aaa exec-authorization default
ip http secure-server

 

Community Member

Re: TACACS on HTTP/S - not working?

Just realised your post said to config the AAA authorization commands - doh!

 

I've added that config as below, but still not working :(

 

aaa authorization exec default group llacs local

VIP Purple

Re: TACACS on HTTP/S - not working?

Hello,

 

something is missing. Can you post the full configuration of the switch ? Also, what is the output of 'show crypto key' ? You might want to zeroize whatever key is in there and create a new one...

330
Views
0
Helpful
8
Replies
CreatePlease to create content