i use a TACACS+ server to authenticate login and enable requests on my cisco devices. i have given the command "ip http authentication tacacs" on a cisco 2600 running 12.0(7)T, but i am not able to login to the router using a browser. should i set HTTP specific config on my TACACS+ server ? if not so, what should i do to make this work ? which userid/password pair should i use to login through HTTP ?
If you are running exec authorization, then here is your answer (if you are not running exec authorization, your problem is elsewhere):
The http interface requires level 15 access right from the get-go. By default, a telnet/console session opens at level 1. When AAA is not loaded on your box, the default mechanisms of the http interface allow it to log in at level 15. But as soon as you turn on exec authorization, the IOS will not allow the http interface to begin it 15; it will begin at level 1 just like everyone else. The http interface doesn't work this way so it dies.
There are two solutions:
1) Use "ip http authentication enable." With this in place, when you open an http session, you will use the enable password to authenticate. The enable password is the gateway to level 15, after all, so this works great. It drops into level 15 and everyone is happy.
2) On your tacacs+ server, configure the user/group so that they are automatically dropped into level 15 when they telnet in. "priv-lvl=15" is generally how it is entered. These are the only two solutions to this issue.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...