HTTP access using TACACS+

rkuppurao · ‎07-24-2001

i use a TACACS+ server to authenticate login and enable requests on my cisco devices. i have given the command "ip http authentication tacacs" on a cisco 2600 running 12.0(7)T, but i am not able to login to the router using a browser. should i set HTTP specific config on my TACACS+ server ? if not so, what should i do to make this work ? which userid/password pair should i use to login through HTTP ?

bstremp · ‎07-30-2001

You may find some of these configuration examples useful http://www.cisco.com/cgibin/Support/PSP/psp_view.plp=Internetworking:Tacacs_plus&s=Implementation_and_Configuration#Samples_%26_Tips

robert.hyde · ‎08-17-2001

If you are running exec authorization, then here is your answer (if you are not running exec authorization, your problem is elsewhere):

The http interface requires level 15 access right from the get-go. By default, a telnet/console session opens at level 1. When AAA is not loaded on your box, the default mechanisms of the http interface allow it to log in at level 15. But as soon as you turn on exec authorization, the IOS will not allow the http interface to begin it 15; it will begin at level 1 just like everyone else. The http interface doesn't work this way so it dies.

There are two solutions:

1) Use "ip http authentication enable." With this in place, when you open an http session, you will use the enable password to authenticate. The enable password is the gateway to level 15, after all, so this works great. It drops into level 15 and everyone is happy.

OR

2) On your tacacs+ server, configure the user/group so that they are automatically dropped into level 15 when they telnet in. "priv-lvl=15" is generally how it is entered. These are the only two solutions to this issue.

Good luck!