From: Lord, Chris (chris.lord@lorien.co.uk)
Date: Mon Feb 21 2005 - 20:10:40 GMT-3
Richard, many thanks for the analysis, you are absolutely correct. I
realize my mistake at last.....
In ACS I have found three places where you can specify privilege levels:
User -> Advanced TACACS+ Settings -> Max Privilege for any AAA Client
Group -> Enable Options -> Privilege for any AAA Client
Group -> TACACS+ Settings -> Shell(Exec) -> Privilege level
I specified 15 in the first 2 locations but had not set a value in the
3rd location. :-(
An interesting observation is that when I use the userid with telnet and
with my original config, I am placed in user exec mode and then have to
use the enable command to get into priv exec mode. But when I modify the
ACS priv level, the telnet session goes directly into priv exec mode
without needing to use the enable command. I should have realized from
this that the priv level was going wrong somewhere.
Cheers,
Chris.
_____
From: Richard Dumoulin [mailto:Richard.Dumoulin@vanco.fr]
Sent: 21 February 2005 22:05
To: Lord, Chris
Cc: Group Study
Subject: RE: http authentication aaa
It seems that there is a diff in the privilege level when using Tacacs.
I can see Priv 0 in the debugs and Priv 15 when using Local database.
There is an example in the link
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example0
9186a0080178a51.shtml#tac-win
See what the author says about User3 -- >
* User Three
o User will fail web authorization due to not having a privilege
level.
-- Richard
-----Original Message-----
From: Lord, Chris [mailto:chris.lord@lorien.co.uk]
Sent: Monday, February 21, 2005 10:35 PM
To: Richard Dumoulin
Cc: Group Study
Subject: RE: http authentication aaa
Hi Richard,
Ip http server is definitely on. The switch has it enabled by default
therefore it does not appear in the config. If you do "no ip http
server" it shows in the config as being disabled.
Local authentication works perfectly, debug follows..............(Cheers
Chris)..........
sh deb
General OS:
TACACS access control debugging is on
AAA Authentication debugging is on
AAA Authorization debugging is on
HTTP:
HTTP Authentication debugging is on
PYLSWT02#
PYLSWT02#
2d08h: HTTP: Authentication for url '/cms_13.html' '/cms_13.html' level
15 privless '/cms_13.html'
2d08h: HTTP: authentication required, no authentication information was
provided
PYLSWT02#
2d08h: HTTP: Authentication for url '/cms_13.html' '/cms_13.html' level
15 privless '/cms_13.html'
2d08h: HTTP: Authentication username = 'aaa' priv-level = 15 auth-type =
local
PYLSWT02#
2d08h: HTTP: Authentication for url '/cms_boot.jar' '/cms_boot.jar'
level 15 privless '/cms_boot.jar'
2d08h: HTTP: authentication required, no authentication information was
provided
PYLSWT02#
2d08h: HTTP: Authentication for url '/cms_boot.jar' '/cms_boot.jar'
level 15 privless '/cms_boot.jar'
2d08h: HTTP: Authentication username = 'aaa' priv-level = 15 auth-type =
local
PYLSWT02#
2d08h: HTTP: Authentication for url '/c4v4_disc.sgz' '/c4v4_disc.sgz'
level 15 privless '/c4v4_disc.sgz'
2d08h: HTTP: Authentication username = 'aaa' priv-level = 15 auth-type =
local
PYLSWT02#
2d08h: HTTP: Authentication for url '/CMS.sgz' '/CMS.sgz' level 15
privless '/CMS.sgz'
2d08h: HTTP: Authentication username = 'aaa' priv-level = 15 auth-type =
local
PYLSWT02#
2d08h: HTTP: Authentication for url '/CiscoChartPanel.sgz'
'/CiscoChartPanel.sgz' level 15 privless '/CiscoChartPanel.sgz'
2d08h: HTTP: Authentication username = 'aaa' priv-level = 15 auth-type =
local
PYLSWT02#
2d08h: HTTP: Authentication for url '//exec/show/version/CR'
'//exec/show/version/CR' level 15 privless '//exec/show/version/CR'
2d08h: HTTP: Authentication username = 'aaa' priv-level = 15 auth-type =
local
2d08h: HTTP: Authentication for url '//exec/show/cluster/CR'
'//exec/show/cluster/CR' level 15 privless '//exec/show/cluster/CR'
2d08h: HTTP: Authentication username = 'aaa' priv-level = 15 auth-type =
local
PYLSWT02#
2d08h: HTTP: Authentication for url '//exec/show/version/CR'
'//exec/show/version/CR' level 15 privless '//exec/show/version/CR'
2d08h: HTTP: Authentication username = 'aaa' priv-level = 15 auth-type =
local
2d08h: HTTP: Authentication for url '//exec/show/cluster/CR'
'//exec/show/cluster/CR' level 15 privless '//exec/show/cluster/CR'
2d08h: HTTP: Authentication username = 'aaa' priv-level = 15 auth-type =
local
2d08h: HTTP: Authentication for url '//exec/show/slot/1/type/CR'
'//exec/show/slot/1/type/CR' level 15 privless
'//exec/show/slot/1/type/CR'
2d08h: HTTP: Authentication username = 'aaa' priv-level = 15 auth-type =
local
PYLSWT02#
2d08h: HTTP: Authentication for url '//exec/show/slot/2/type/CR'
'//exec/show/slot/2/type/CR' level 15 privless
'//exec/show/slot/2/type/CR'
2d08h: HTTP: Authentication username = 'aaa' priv-level = 15 auth-type =
local
2d08h: HTTP: Authentication for url '//exec/show/rps/CR'
'//exec/show/rps/CR' level 15 privless '//exec/show/rps/CR'
2d08h: HTTP: Authentication username = 'aaa' priv-level = 15 auth-type =
local
2d08h: HTTP: Authentication for url
'//exec/show/slot/0/connector-type/CR'
'//exec/show/slot/0/connector-type/CR' level 15 privless
'//exec/show/slot/0/connector-type/CR'
2d08h: HTTP: Authentication username = 'aaa' priv-level = 15 auth-type =
local
PYLSWT02#
2d08h: HTTP: Authentication for url '//exec/show/rps/CR'
'//exec/show/rps/CR' level 15 privless '//exec/show/rps/CR'
2d08h: HTTP: Authentication username = 'aaa' priv-level = 15 auth-type =
local
2d08h: HTTP: Authentication for url
'//exec/cluster/preferences/file/flash:syslog.conf/CR'
'//exec/cluster/preferences/file/flash:syslog.conf/CR' level 15
privless '//exec/cluster/preferences/file/flash:syslog.conf/CR'
2d08h: HTTP: Authentication username = 'aaa' priv-level = 15 auth-type =
local
PYLSWT02#conf t
_____
From: Richard Dumoulin [mailto:Richard.Dumoulin@vanco.fr]
Sent: 21 February 2005 17:28
To: Lord, Chris
Cc: Group Study
Subject: RE: http authentication aaa
Tacacs debug seems fine to me. Authentication is successful. Did you try
local authentication?
I guess you have also enabled ip http server (sorry I have to ask:-) )
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example0
9186a0080178a51.shtml
-- Richard
-----Original Message-----
From: Lord, Chris [mailto:chris.lord@lorien.co.uk]
Sent: Monday, February 21, 2005 5:21 PM
To: Richard Dumoulin
Cc: Group Study
Subject: RE: http authentication aaa
Here's the tacacs debug ........
PYLSWT02#deb taca
TACACS access control debugging is on
PYLSWT02#
2d03h: TAC+: send AUTHEN/START packet ver=192 id=2332148682
2d03h: TAC+: Using default tacacs server-group "tacacs+" list.
2d03h: TAC+: Opening TCP/IP to 172.16.3.8/49 timeout=5
2d03h: TAC+: Opened TCP/IP handle 0x769594 to 172.16.3.8/49
2d03h: TAC+: 172.16.3.8 (2332148682) AUTHEN/START/LOGIN/ASCII queued
2d03h: TAC+: (2332148682) AUTHEN/START/LOGIN/ASCII processed
2d03h: TAC+: ver=192 id=2332148682 received AUTHEN status = GETUSER
2d03h: TAC+: send AUTHEN/CONT packet id=2332148682
2d03h: TAC+: 172.16.3.8 (2332148682) AUTHEN/CONT queued
2d03h: TAC+: (2332148682) AUTHEN/CONT processed
2d03h: TAC+: ver=192 id=2332148682 received AUTHEN status = GETPASS
PYLSWT02#
2d03h: TAC+: send AUTHEN/CONT packet id=2332148682
2d03h: TAC+: 172.16.3.8 (2332148682) AUTHEN/CONT queued
2d03h: TAC+: (2332148682) AUTHEN/CONT processed
2d03h: TAC+: ver=192 id=2332148682 received AUTHEN status = PASS
2d03h: TAC+: Closing TCP/IP 0x769594 connection to 172.16.3.8/49
PYLSWT02#
_____
From: Richard Dumoulin [mailto:Richard.Dumoulin@vanco.fr]
Sent: 21 February 2005 16:04
To: Lord, Chris
Subject: RE: http authentication aaa
Fine thx.
I know but I meant debug tacacs, not aaa nor http :-)
-----Original Message-----
From: Lord, Chris [mailto:chris.lord@lorien.co.uk]
Sent: Monday, February 21, 2005 5:03 PM
To: Richard Dumoulin
Subject: RE: http authentication aaa
Hehe, how you doing Richard?
Aaa and http auth debugs are at bottom of original posting.......
_____
From: Richard Dumoulin [mailto:Richard.Dumoulin@vanco.fr]
Sent: 21 February 2005 16:00
To: Lord, Chris; istong@stong.org; Group Study
Subject: RE: http authentication aaa
What does debug tacacs show?
-- Richard
-----Original Message-----
From: Lord, Chris [mailto:chris.lord@lorien.co.uk]
Sent: Monday, February 21, 2005 4:56 PM
To: istong@stong.org; Group Study
Subject: RE: http authentication aaa
Hi Ian,
Thanks for your reply. Yes, ACS works in all other respects for other
purposes - telnet authentication, exec command authorization, RSA
authentication for VPN, etc, etc.
When http authentication fails there is no entry in the "failed
attempts" log (or any other I can find) on ACS. It's acting as if the
http auth isn't bound into the aaa auth if you see what I mean.
Chris
-----Original Message-----
From: Ian Stong [mailto:istong@stong.org]
Sent: 21 February 2005 11:43
To: Lord, Chris; 'Group Study'
Subject: RE: http authentication aaa
Have you narrowed it down to verify the aaa and ACS work in general.
For
example have you tried login authentication default on a vty port to see
if
you can telnet to the router and authenticate via aaa? I'm assuming you
have setup the username and password in ACS and all is well there.
Also curious if you see any log activity on the ACS server when you are
trying this authentication.
Thanks,
Ian
http://www.ccie4u.com
CCIE Lab Rack Rentals and Lab Scenarios starting at only $12
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Lord, Chris
Sent: Monday, February 21, 2005 4:05 AM
To: Group Study
Subject: http authentication aaa
Hi Everyone,
I would really appreciate some guidance here. I realize I've probably
missed something really simple, but after several hours of trying you
just have to find help from someone!
I'm trying to use ip hhtp authentication aaa. I have successfully tested
it using auth enable and auth local but as soon as I try auth aaa the
browser just keeps repeatedly asking for a user/password.
I've pasted the config and debug output below. The aaa authentication
phase seems successful but the http authentication phase fails. The test
was done on a simple 3548 switch but the same happens when I try it on a
3640 router. I am using Cisco Secure ACS as the tacacs server and I'm
wondering if the ACS user or group settings need some special options
set to enable this to work?
Many TIA,
Chris.
sh run | beg aaa
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication login consoleport none
!
username aaa privilege 15 password 0 bbb
!
ip http authentication aaa
tacacs-server host 172.16.3.8 key xxx
tacacs-server host 172.16.3.9 key xxx
line con 0
exec-timeout 60 0
logging synchronous
login authentication consoleport
transport input none
stopbits 1
line vty 0 4
logging synchronous
length 0
line vty 5 15
logging synchronous
PYLSWT02#deb aaa authen
AAA Authentication debugging is on
PYLSWT02#deb aaa authori
AAA Authorization debugging is on
PYLSWT02#deb ip http auth
HTTP Authentication debugging is on
PYLSWT02#
PYLSWT02#
1d20h: HTTP: Authentication for url '/cms_13.html' '/cms_13.html' level
15 privless '/cms_13.html'
1d20h: HTTP: Authentication username = 'lorien' priv-level = 15
auth-type = aaa
1d20h: AAA: parse name=tty1 idb type=-1 tty=-1
1d20h: AAA: name=tty1 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=1
channel=0
1d20h: AAA/MEMORY: create_user (0x53F1B8) user='' ruser='' port='tty1'
rem_addr='10.7.12.10' authen_type=ASCII service=LOGIN priv=0
1d20h: AAA/AUTHEN/START (1240818140): port='tty1' list='' action=LOGIN
service=LOGIN
1d20h: AAA/AUTHEN/START (1240818140): using "default" list
1d20h: AAA/AUTHEN/START (1240818140): Method=tacacs+ (tacacs+)
PYLSWT02#
1d20h: TAC+: send AUTHEN/START packet ver=192 id=1240818140
1d20h: TAC+: ver=192 id=1240818140 received AUTHEN status = GETUSER
1d20h: AAA/AUTHEN (1240818140): status = GETUSER
1d20h: AAA/AUTHEN/CONT (1240818140): continue_login (user='(undef)')
1d20h: AAA/AUTHEN (1240818140): status = GETUSER
1d20h: AAA/AUTHEN (1240818140): Method=tacacs+ (tacacs+)
1d20h: TAC+: send AUTHEN/CONT packet id=1240818140
1d20h: TAC+: ver=192 id=1240818140 received AUTHEN status = GETPASS
1d20h: AAA/AUTHEN (1240818140): status = GETPASS
1d20h: AAA/AUTHEN/CONT (1240818140): continue_login (user='lorien')
1d20h: AAA/AUTHEN (1240818140): status = GETPASS
PYLSWT02#
1d20h: AAA/AUTHEN (1240818140): Method=tacacs+ (tacacs+)
1d20h: TAC+: send AUTHEN/CONT packet id=1240818140
1d20h: TAC+: ver=192 id=1240818140 received AUTHEN status = PASS
1d20h: AAA/AUTHEN (1240818140): status = PASS
1d20h: HTTP: Authentication failed
1d20h: AAA/MEMORY: free_user (0x53F1B8) user='lorien' ruser=''
port='tty1' rem_addr='10.7.12.10' authen_type=ASCII service=LOGIN priv=0
PYLSWT02#
**********************************************************************
The information contained in this email is confidential and is intended
for
the recipient only. If you have received it in error, please notify us
immediately by reply email and then delete it from your system. Please
do
not
copy it or use it for any purposes, or disclose its contents to any
other
person or store or copy this information in any medium. The views
contained
in
this email are those of the author and not necessarily those of Lorien
plc.
Thank you for your co-operation.
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Mar 03 2005 - 08:51:24 GMT-3