Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IOS APs - Radius Admin Authentication via CLI AND web?

Hi all - I'm wondering if anyone has had luck with setting up administrative authentication to an IOS wireless access point, using some sort of Radius server... and allowing both authentication via the CLI AND web?

I ask because I'm having difficult with the web piece in particular. I'm running TACACS on Radiator (http://www.open.com.au/radiator/technical.html) and having difficulty getting TACACS to respond correctly. According to the TACACS logs, it responds with an "Access-Accept", and in the AP debugs I see a "PASS", but the web interface keeps prompting me for login credentials regardless.

I've been trying to find tips online, but everything I have read makes me think that admin authentication via the web interface may not be possible.

2 REPLIES
New Member

Re: IOS APs - Radius Admin Authentication via CLI AND web?

Just for kicks, I'm including some debug info:

AP Debug:

--------

*Mar 1 00:06:13.946: AAA/AUTHEN/LOGIN (00000000): Pick method list 'tacadmin'

*Mar 1 00:06:13.946: TPLUS: Queuing AAA Authentication request 0 for processing

*Mar 1 00:06:13.946: TPLUS: processing authentication start request id 0

*Mar 1 00:06:13.946: TPLUS: Authentication start packet created for 0(UserPIN033)

*Mar 1 00:06:13.946: TPLUS: Using server 169.6.10.205

*Mar 1 00:06:13.948: TPLUS(00000000)/0/NB_WAIT/A41EA4: Started 5 sec timeout

*Mar 1 00:06:13.948: TPLUS(00000000)/0/NB_WAIT: socket event 2

*Mar 1 00:06:13.949: TPLUS(00000000)/0/NB_WAIT: wrote entire 27 bytes request

*Mar 1 00:06:13.949: TPLUS(00000000)/0/READ: socket event 1

*Mar 1 00:06:13.949: TPLUS(00000000)/0/READ: Would block while reading

*Mar 1 00:06:13.952: TPLUS(00000000)/0/READ: socket event 1

*Mar 1 00:06:13.952: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 16 bytes data)

*Mar 1 00:06:13.952: TPLUS(00000000)/0/READ: socket event 1

*Mar 1 00:06:13.952: TPLUS(00000000)/0/READ: read entire 28 bytes response

*Mar 1 00:06:13.952: TPLUS(00000000)/0/A41EA4: Processing the reply packet

*Mar 1 00:06:13.952: TPLUS: Received authen response status GET_PASSWORD (8)

*Mar 1 00:06:13.953: TPLUS: Queuing AAA Authentication request 0 for processing

*Mar 1 00:06:13.954: TPLUS: processing authentication continue request id 0

*Mar 1 00:06:13.954: TPLUS: Authentication continue packet generated for 0

*Mar 1 00:06:13.954: TPLUS(00000000)/0/WRITE/A41EA4: Started 5 sec timeout

*Mar 1 00:06:13.954: TPLUS(00000000)/0/WRITE: wrote entire 28 bytes request

*Mar 1 00:06:13.998: TPLUS(00000000)/0/READ: socket event 1

*Mar 1 00:06:13.998: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 6 bytes data)

*Mar 1 00:06:13.998: TPLUS(00000000)/0/READ: socket event 1

*Mar 1 00:06:13.998: TPLUS(00000000)/0/READ: read entire 18 bytes response

*Mar 1 00:06:13.998: TPLUS(00000000)/0/A41EA4: Processing the reply packet

*Mar 1 00:06:13.998: TPLUS: Received authen response status PASS (2)

*Mar 1 00:06:14.000: AAA/AUTHOR (0x0): Pick method list 'tacadmin'

*Mar 1 00:06:14.000: TPLUS: Queuing AAA Authorization request 0 for processing

*Mar 1 00:06:14.000: TPLUS: processing authorization request id 0

*Mar 1 00:06:14.001: TPLUS: Inappropriate protocol: 23

*Mar 1 00:06:14.001: TPLUS: Sending AV service=shell

*Mar 1 00:06:14.001: TPLUS: Sending AV cmd*

*Mar 1 00:06:14.001: TPLUS: Authorization request created for 0(UserPIN033)

*Mar 1 00:06:14.002: TPLUS: Using server 169.6.10.205

*Mar 1 00:06:14.002: TPLUS(00000000)/0/NB_WAIT/BBB9BC: Started 5 sec timeout

*Mar 1 00:06:14.004: TPLUS(00000000)/0/NB_WAIT: socket event 2

*Mar 1 00:06:14.004: TPLUS(00000000)/0/NB_WAIT: wrote entire 46 bytes request

*Mar 1 00:06:14.004: TPLUS(00000000)/0/READ: socket event 1

*Mar 1 00:06:14.004: TPLUS(00000000)/0/READ: Would block while reading

*Mar 1 00:06:14.008: TPLUS(00000000)/0/READ: socket event 1

*Mar 1 00:06:14.008: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 39 bytes data)

*Mar 1 00:06:14.008: TPLUS(00000000)/0/READ: socket event 1

*Mar 1 00:06:14.008: TPLUS(00000000)/0/READ: read entire 51 bytes response

*Mar 1 00:06:14.008: TPLUS(00000000)/0/BBB9BC: Processing the reply packet

*Mar 1 00:06:14.009: TPLUS (00000000): Got response service = INVALID value Converted to NO_TYPE

*Mar 1 00:06:14.009: TPLUS: Processed AV service=shell cmd* {priv-lvl=15}

*Mar 1 00:06:14.009: TPLUS: received authorization response for 0: PASS

New Member

Re: IOS APs - Radius Admin Authentication via CLI AND web?

TACACS Log:

----------

Fri Nov 14 01:47:15 2008: DEBUG: TacacsPlus request packet dump:

Fri Nov 14 01:47:15 2008: DEBUG: Decrypting TacacsPlus request

Fri Nov 14 01:47:15 2008: DEBUG: TacacsPlus request decrypted body:

Fri Nov 14 01:47:15 2008: DEBUG: TacacsplusConnection Authorization REQUEST 1, 1, 0, 0, UserPIN033, , , 2, service=shell cmd*

Fri Nov 14 01:47:15 2008: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , service=shell cmd* {priv-lvl=15}

Fri Nov 14 01:47:15 2008: DEBUG: TacacsplusConnection disconnected from 10.0.0.2:11002

Fri Nov 14 01:47:30 2008: DEBUG: New TacacsplusConnection created for 10.0.0.2:11003

Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection request 192, 1, 1, 0, 3660886178, 15

Fri Nov 14 01:47:30 2008: DEBUG: TacacsPlus request packet dump:

Fri Nov 14 01:47:30 2008: DEBUG: Decrypting TacacsPlus request

Fri Nov 14 01:47:30 2008: DEBUG: TacacsPlus request decrypted body:

Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection Authentication START 1, 1, 1 for UserPIN033, ,

Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection Authentication REPLY 5, 1, Password: ,

Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection request 192, 1, 3, 0, 3660886178, 16

Fri Nov 14 01:47:30 2008: DEBUG: TacacsPlus request packet dump:

Fri Nov 14 01:47:30 2008: DEBUG: Decrypting TacacsPlus request

Fri Nov 14 01:47:30 2008: DEBUG: TacacsPlus request decrypted body:

Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection Authentication CONTINUE 0, ********,

Fri Nov 14 01:47:30 2008: DEBUG: TACACSPLUS derived Radius request packet dump:

Code: Access-Request

Identifier: UNDEF

Authentic: <223><139>s<145>"l<152><147>S<141><165><226>$<137><11>P

Attributes:

NAS-IP-Address = 10.0.0.2

Service-Type = Login-User

User-Name = "UserPIN033"

User-Password = ********

Acc-Service-Profile = "II"

Fri Nov 14 01:47:30 2008: DEBUG: Handling request with Handler 'Acc-Service-Profile=II'

Fri Nov 14 01:47:30 2008: DEBUG: Rewrote user name to UserPIN033

Fri Nov 14 01:47:30 2008: DEBUG: Deleting session for UserPIN033, 10.0.0.2,

Fri Nov 14 01:47:30 2008: INFO: AuthADAM handle_request: Received from 10.0.0.2 port 11003

Fri Nov 14 01:47:30 2008: DEBUG: STEP1: completed; bound to LDAP as utility user

Fri Nov 14 01:47:30 2008: DEBUG: STEP2: completed; have distinguished name of user.

Fri Nov 14 01:47:30 2008: DEBUG: STEP3: completed; bound to LDAP as user.

Fri Nov 14 01:47:30 2008: DEBUG: STEP4: found user in group II-IIRNetwork-OPS

Fri Nov 14 01:47:30 2008: DEBUG: STEP4: completed; searched 1 groups for user membership.

Fri Nov 14 01:47:30 2008: DEBUG: AuthBy ADAM result: ACCEPT,

Fri Nov 14 01:47:30 2008: DEBUG: Access accepted for UserPIN033

Fri Nov 14 01:47:30 2008: DEBUG: Packet dump:

*** Reply to TACACSPLUS request:

Code: Access-Accept

Identifier: UNDEF

Authentic: <223><139>s<145>"l<152><147>S<141><165><226>$<137><11>P

Attributes:

Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection result Access-Accept

Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,

Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection disconnected from 10.0.0.2:11003

Fri Nov 14 01:47:30 2008: DEBUG: New TacacsplusConnection created for 10.0.0.2:11004

Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection request 192, 2, 1, 0, 409174207, 34

Fri Nov 14 01:47:30 2008: DEBUG: TacacsPlus request packet dump:

Fri Nov 14 01:47:30 2008: DEBUG: Decrypting TacacsPlus request

Fri Nov 14 01:47:30 2008: DEBUG: TacacsPlus request decrypted body:

Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection Authorization REQUEST 1, 1, 0, 0, UserPIN033, , , 2, service=shell cmd*

Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection Authorization RESPONSE 1, , , service=shell cmd* {priv-lvl=15}

Fri Nov 14 01:47:30 2008: DEBUG: TacacsplusConnection disconnected from 10.0.0.2:11004

162
Views
0
Helpful
2
Replies
CreatePlease login to create content