cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
243
Views
0
Helpful
1
Replies

350 IOS HTTP authentication using RADIUS not TACACS

candv
Level 1
Level 1

I am trying to get "ip http authentication aaa "to a 350/1200 ios wireless access point to work using RADIUS (using ACS 3.2 and Cisco IOS/PIX RADIUS Attributes).

I can get the 350 vxworks to work by adding

"aironet:admin-capability=write+snmp+ident+firmware+admin"

to the ACS server.

I can get CLI authentication to the IOS 350 by adding

"shell:priv-lvl=15"

but am having no luck with radius authenticating.

I have been able to use tacacs+ to do ip http authentication but I want to use radius. Does anyone know where I am going wrong. When I look on the ACS server it doesn't fail (it passes authentication), it just seems like there is something weird happenning with enable level 15. I have removed the local authentication, I think I am not passing the correct attributes even though debugging does pass username etc correctly

thanks

1 Reply 1

pradeepde
Level 5
Level 5

The following are the steps I followed and its working fine for me,

On the AP

1. Setup -> security -> Authentication Server - Make sure that User Authentication is checked.

2. Setup -> security -> User Information -- Add a user

3. Setup -> security -> User Manager -- Enable user manager

On the ACS

1. Setup a group

2. Look for "Cisco IOS/PIX RADIUS Attributes" which will not show unless you have a AAA client

authenticate using the 'radius (cisco ios/pix)'

3. Check "[009\001] cisco-av-pair"

4. Add "aironet:admin-capability=write+snmp+ident+firmware+admin"

5. Add a user in that group

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: