From: Lab Rat #109385382 (techlist01@gmail.com)
Date: Thu Nov 23 2006 - 04:31:46 ART
Does the "ip http authentication local" command do automatic exec
authorization on the local user?
In my tests, privilege level needs to be at 15...correct?
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Petr
Lapukhov
Sent: Wednesday, November 22, 2006 10:42 PM
To: Kal Han
Cc: Groupstudy; Cisco certification
Subject: Re: auth-proxy method lists for authentication.
It's the notorious bug found in 12.2T/12.3:
*Bug ID: CSCeb82510*
Fixed Since: 12.3(7.3)T
<quote>
Since the 12.2(15)T IOS release onwards, when "ip http authentication aaa"
is configured, HTTP server uses the login authentication and exec
authorization method lists specified for the console instead of for the vty
lines as in the earlier IOS versions.
If you configure:
ip http server
ip http authentication aaa
aaa authentication login default ...
aaa authorization exec default ...
aaa authentication login vty-auth ...
aaa authorization exec vty-auth ...
line con 0
login authentication default
authorization exec default
line vty ...
login authentication vty-auth
authorization exec vty-auth
And then attempt to the HTTP access, the router will ignore the "http-auth"
method lists and instead use the default method lists specified for the
console.
If there are no default method lists defined, router will fail the HTTP
authentication. *This new behaviour is due to the fact that since 12.2(15)T
onwards vty lines are no more used for HTTP connections.*
Workaround:
Use a common method list for HTTP and console and make sure that the console
is configured with this common method list. For example,
aaa authentication login console-http-auth ...
aaa authorization exec console-http-auth ...
line con 0
login authentication console-http-auth
authorization exec console-http-auth
If only "default" method list names are used, this problem does not exist.
For example,
aaa authentication login default ...
aaa authorization exec default ...
line con 0
<No method lists explicitly applied. So, default is used> line vty ...
<No method lists explicitly applied. So, default is used>
</quote>
In modern images, you may configure separate AAA list for HTTP
authentication/authorization
(commands)
ip http authentication aaa login-authentication ?
WORD Use an authentication list with this name.
2006/11/23, Kal Han <calikali2006@gmail.com>:
>
> Hello Friends.
> I have this question on method lists used by auth-proxy authentication.
>
> When I want to http connect to the router, it uses the method lists
> defined on the console port.
>
> When I want to telnet/ssh etc connect to router, it uses the method
> lists defined on the vty lines.
>
> What about auth-proxy, Its a http authentication but what method lists
> will it use.
> *Does it always use the default authentication list ? *
>
> Here is my config and its working fine.
>
> R1#sh run | be line
> line con 0
> exec-timeout 0 0
> privilege level 15
> authorization exec NONE
> logging synchronous
> login authentication NONE
> line aux 0
> line vty 0 3
> password cisco
> authorization exec vtyssh
> login authentication vtyssh
> transport input telnet ssh
> line vty 4
> password cisco
> authorization exec vtyssh
> login authentication vtyssh
> rotary 65
> transport input telnet ssh
>
> Here is my aaa config
>
> aaa new-model
> aaa authentication login default group tacacs+ aaa authentication
> login NONE none aaa authentication login vtyssh local aaa
> authorization exec default group tacacs+ aaa authorization exec NONE
> none aaa authorization exec vtyssh local aaa authorization auth-proxy
> default group tacacs+ aaa session-id common
>
>
> Debugs show it picked up the default list point to tacacs for
> authentication. Here is the output.
>
> *Mar 1 21:36:09.358: AAA/AUTHEN/START (1836189796): found list default
> *Mar 1 21:36:09.358: AAA/AUTHEN/START (1836189796): Method=tacacs+
> (tacacs+)
> *Mar 1 21:36:09.358: TAC+: send AUTHEN/START packet ver=192 id=1836189796
> *Mar 1 21:36:09.358: TAC+: *Using default tacacs server-group "tacacs+"
> list*.
> *Mar 1 21:36:09.362: TAC+: Opening TCP/IP to 172.16.1.100/49 timeout=5
> *Mar 1 21:36:09.366: TAC+: Opened
> R1# TCP/IP handle 0x82EAD5B4 to 172.16.1.100/49 using source 11.11.11.11
> *Mar 1 21:36:09.366: TAC+: 172.16.1.100 (1836189796)
> AUTHEN/START/LOGIN/ASCII queued
> *Mar 1 21:36:09.566: TAC+: (1836189796) AUTHEN/START/LOGIN/ASCII
> processed
> *Mar 1 21:36:09.566: TAC+: ver=192 id=1836189796 received AUTHEN status =
> GETUSER
> *Mar 1 21:36:09.566: AAA/AUTHEN(1836189796): Status=GETUSER
> *Mar 1 21:36:09.566: AAA/AUTHEN/CONT (1836189796): continue_login
> (user='(undef)')
> *Mar 1 21:36:09.566: AAA/AUTHEN(1836189796): Status=GETUSER
> *Mar 1 21:36:09.566: AAA/AUTHEN(1836189796): Method=tacacs+ (tacacs+)
> *Mar 1 21:36:09.570: TAC+: send AUTHEN/CONT packet id=1836189796
> *Mar 1 21:36:09.570: TAC+: 172.16.1.100 (1836189796) AUTHEN/CONT queued
> *Mar 1 21:36:09.770: TAC+: (1836189796) AUTHEN/CONT processed
> *Mar 1 21:36:09.770: TAC+: ver=192 id=1836189796 received AUTHEN status =
> GETPASS
> *Mar 1 21:36:09.770: AAA/AUTHEN(1836189796): Status=GETPASS
> *Mar 1 21:36:09.770: AAA/AUTHEN/CONT (1836189796): continue_login
> (user='admin')
> *Mar 1 21:36:09.770: AAA/AUTHEN(1836189796): Status=GETPASS
> *Mar 1 21:36:09.770: AAA/AUTHEN(1836189796): Method=tacacs+ (tacacs+)
> *Mar 1 21:36:09.770: TAC+: send AUTHEN/CONT packet id=1836189796
> *Mar 1 21:36:09.774: TAC+: 172.16.1.100 (1836189796) AUTHEN/CONT queued
> *Mar 1 21:36:09.974: TAC+: (1836189796) AUTHEN/CONT processed
> *Mar 1 21:36:09.974: *TAC+: ver=192 id=1836189796 received AUTHEN status
> =
> PASS*
> *Mar 1 21:36:09.974: *AAA/AUTHEN(1836189796): Status=PASS
> **Mar 1 21:36:09.974: TAC+: Closing TCP/IP 0x82EAD5B4 connection to
> 172.16.1.100/49
> *Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770):
> Port='FastEthernet0/1' list='default' service=AUTH-PROXY
> *Mar 1 21:36:09.978: AAA/AUTHOR/HTTP: FastEthernet0/1(1076682770)
> user='admin'
> *Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770): send AV
> service=auth-proxy
> *Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770): send AV
> cmd*
> *Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770): found
> list "default"
> *Mar 1 21:36:09.978: FastEthernet0/1 AAA/AUTHOR/HTTP(1076682770):
> Method=tacacs+ (tacacs+)
> *Mar 1 21:36:09.978: AAA/AUTHOR/TAC+: (1076682770): user=admin
> *Mar 1 21:36:09.978: AAA/AUTHOR/TAC+: (1076682770): send AV
> service=auth-proxy
> *Mar 1 21:36:09.982: AAA/AUTHOR/TAC+: (1076682770): send AV cmd*
> *Mar 1 21:36:09.982: *TAC+: using previously set server 172.16.1.100 from
> group tacacs+
> **Mar 1 21:36:09.982: TAC+: Opening TCP/IP to 172.16.1.100/49 timeout=5
> *Mar 1 21:36:09.986: TAC+: Opened TCP/IP handle 0x82EAE974 to
> 172.16.1.100/49 using source 11.11.11.11
> *Mar 1 21:36:09.986: TAC+: Opened 172.16.1.100 index=1
> *Mar 1 21:36:09.986: TAC+: 172.16.1.100 (1076682770) AUTHOR/START queued
> *Mar 1 21:36:10.186: TAC+: (1076682770) AUTHOR/START processed
> *Mar 1 21:36:10.186: TAC+: (1076682770): received author response status
> =
> PASS_ADD
> *Mar 1 21:36:10.186: TAC+: Closing TCP/IP 0x82EAE974 connection to
> 172.16.1.100/49
> **Mar 1 21:36:10.190: TAC+: Received Attribute "priv-lvl=15"
> *Mar 1 21:36:10.190: TAC+: Received Attribute "proxyacl#1=permit ip any
> any"
> *Mar 1 21:36:10.190: AAA/AUTHOR (1076682770): Post authorization status =
> PASS_ADD*
> **
> Please let me know.
> Thanks
> Kal
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART