From: Lord, Chris (chris.lord@lorien.co.uk)
Date: Mon Feb 21 2005 - 06:04:40 GMT-3
Hi Everyone,
I would really appreciate some guidance here. I realize I've probably
missed something really simple, but after several hours of trying you
just have to find help from someone!
I'm trying to use ip hhtp authentication aaa. I have successfully tested
it using auth enable and auth local but as soon as I try auth aaa the
browser just keeps repeatedly asking for a user/password.
I've pasted the config and debug output below. The aaa authentication
phase seems successful but the http authentication phase fails. The test
was done on a simple 3548 switch but the same happens when I try it on a
3640 router. I am using Cisco Secure ACS as the tacacs server and I'm
wondering if the ACS user or group settings need some special options
set to enable this to work?
Many TIA,
Chris.
sh run | beg aaa
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication login consoleport none
!
username aaa privilege 15 password 0 bbb
!
ip http authentication aaa
tacacs-server host 172.16.3.8 key xxx
tacacs-server host 172.16.3.9 key xxx
line con 0
exec-timeout 60 0
logging synchronous
login authentication consoleport
transport input none
stopbits 1
line vty 0 4
logging synchronous
length 0
line vty 5 15
logging synchronous
PYLSWT02#deb aaa authen
AAA Authentication debugging is on
PYLSWT02#deb aaa authori
AAA Authorization debugging is on
PYLSWT02#deb ip http auth
HTTP Authentication debugging is on
PYLSWT02#
PYLSWT02#
1d20h: HTTP: Authentication for url '/cms_13.html' '/cms_13.html' level
15 privless '/cms_13.html'
1d20h: HTTP: Authentication username = 'lorien' priv-level = 15
auth-type = aaa
1d20h: AAA: parse name=tty1 idb type=-1 tty=-1
1d20h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1
channel=0
1d20h: AAA/MEMORY: create_user (0x53F1B8) user='' ruser='' port='tty1'
rem_addr='10.7.12.10' authen_type=ASCII service=LOGIN priv=0
1d20h: AAA/AUTHEN/START (1240818140): port='tty1' list='' action=LOGIN
service=LOGIN
1d20h: AAA/AUTHEN/START (1240818140): using "default" list
1d20h: AAA/AUTHEN/START (1240818140): Method=tacacs+ (tacacs+)
PYLSWT02#
1d20h: TAC+: send AUTHEN/START packet ver=192 id=1240818140
1d20h: TAC+: ver=192 id=1240818140 received AUTHEN status = GETUSER
1d20h: AAA/AUTHEN (1240818140): status = GETUSER
1d20h: AAA/AUTHEN/CONT (1240818140): continue_login (user='(undef)')
1d20h: AAA/AUTHEN (1240818140): status = GETUSER
1d20h: AAA/AUTHEN (1240818140): Method=tacacs+ (tacacs+)
1d20h: TAC+: send AUTHEN/CONT packet id=1240818140
1d20h: TAC+: ver=192 id=1240818140 received AUTHEN status = GETPASS
1d20h: AAA/AUTHEN (1240818140): status = GETPASS
1d20h: AAA/AUTHEN/CONT (1240818140): continue_login (user='lorien')
1d20h: AAA/AUTHEN (1240818140): status = GETPASS
PYLSWT02#
1d20h: AAA/AUTHEN (1240818140): Method=tacacs+ (tacacs+)
1d20h: TAC+: send AUTHEN/CONT packet id=1240818140
1d20h: TAC+: ver=192 id=1240818140 received AUTHEN status = PASS
1d20h: AAA/AUTHEN (1240818140): status = PASS
1d20h: HTTP: Authentication failed
1d20h: AAA/MEMORY: free_user (0x53F1B8) user='lorien' ruser=''
port='tty1' rem_addr='10.7.12.10' authen_type=ASCII service=LOGIN priv=0
PYLSWT02#
**********************************************************************
The information contained in this email is confidential and is intended for
the recipient only. If you have received it in error, please notify us
immediately by reply email and then delete it from your system. Please do not
copy it or use it for any purposes, or disclose its contents to any other
person or store or copy this information in any medium. The views contained in
this email are those of the author and not necessarily those of Lorien plc.
Thank you for your co-operation.
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Mar 03 2005 - 08:51:23 GMT-3