Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

HTTP access using TACACS+

i use a TACACS+ server to authenticate login and enable requests on my cisco devices. i have given the command "ip http authentication tacacs" on a cisco 2600 running 12.0(7)T, but i am not able to login to the router using a browser. should i set HTTP specific config on my TACACS+ server ? if not so, what should i do to make this work ? which userid/password pair should i use to login through HTTP ?

2 REPLIES
New Member

Re: HTTP access using TACACS+

New Member

Re: HTTP access using TACACS+

If you are running exec authorization, then here is your answer (if you are not running exec authorization, your problem is elsewhere):

The http interface requires level 15 access right from the get-go. By default, a telnet/console session opens at level 1. When AAA is not loaded on your box, the default mechanisms of the http interface allow it to log in at level 15. But as soon as you turn on exec authorization, the IOS will not allow the http interface to begin it 15; it will begin at level 1 just like everyone else. The http interface doesn't work this way so it dies.

There are two solutions:

1) Use "ip http authentication enable." With this in place, when you open an http session, you will use the enable password to authenticate. The enable password is the gateway to level 15, after all, so this works great. It drops into level 15 and everyone is happy.

OR

2) On your tacacs+ server, configure the user/group so that they are automatically dropped into level 15 when they telnet in. "priv-lvl=15" is generally how it is entered. These are the only two solutions to this issue.

Good luck!

95
Views
0
Helpful
2
Replies