Hi,
As far as I aware, a user must have privilege level 15 to get access to
HTTP/HTTPS server.
So, if you have two users with different privileges, only user with lvl 15
will be able to manage the router using web browser.
If you want to use AAA for HTTP server authentication you must use those
mentioned commands.
Answering you question, yes, you need those commands if you want to use
named methods list.
HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, Security)
Technical Instructor
website: www.MicronicsTraining.com
�If you can't explain it simply, you don't understand it well enough� -
Albert Einstein
2010/1/23 CCIE-Newbie <ccie_ka_at_gmx.de>
> Hi,
>
> thank you for this explanation.
>
> But what happens if I have two local users with different privilege
> level ? Is the login dependent from the defined user level ?
>
> And also can you please explain what about the commands
>
> ip http authentication aaa
> 1. command-authorization level listname
> 2. exec-authorization listname
> 3. login-authentication listname
>
> Sorry for my questions but If I must use a named list I also need to
> specify any of the above commands !?
>
> Dennis
>
>
> Am Samstag, den 23.01.2010, 10:49 +0100 schrieb Piotr Matusiak:
> > Hi,
> >
> > When you use "aaa authentication login default local" it is applied to
> > all lines including CON, AUX, VTY. So you don't need to specify the
> > named method in "ip http authentication aaa" command.
> > However, if you use named method like "aaa authentication login TEST
> > local" you need to specify that using "ip http authentication aaa
> > login-authentication TEST" command.
> >
> > This is because you can have more than one named method configured and
> > the router must know which one use to authenticate HTTP users. The
> > default method is only one so you do not need to specify that.
> >
> > BTW: you can configure the same without AAA:
> > !
> > username student privil 15 password cisco123
> > !
> > ip http server
> > ip http authentication local
> > !
> >
> > HTH,
> > --
> > Piotr Matusiak
> > CCIE #19860 (R&S, Security)
> > Technical Instructor
> > website: www.MicronicsTraining.com
> >
> > b If you can't explain it simply, you don't understand it well enoughb
> > - Albert Einstein
> >
> >
> > 2010/1/23 CCIE-Newbie <ccie_ka_at_gmx.de>
> > Hi Group,
> >
> > I'm confused about securing http access to a router.
> > Assume I need to secure Router 1 for http access.
> > There are two different privilege level for two user.
> > User A should be level 5 while user B should be level 10
> >
> > First off all I need to enable aaa and then set the list. My
> > configuration looks as follow:
> >
> > aaa new-model
> > aaa authentication login HTTP local
> > aaa authorization exec HTTP local
> > ip http server
> > ip http authentication aaa login-authentication HTTP
> > ip http authentication aaa exec-authorization HTTP
> > no ip http secure-server
> >
> > aaa new-model
> > aaa authentication login default local
> > aaa authorization exec default local
> > ip http server
> > ip http authentication aaa
> > no ip http secure-server
> >
> > If I need to specify a "list" then I also need to specify
> > after "ip http
> > authentication aaa login-authentication HTTP" and "ip http
> > authentication aaa exec-authorization HTTP" !?
> >
> > So what is the difference between the above configurations ?
> > Can anyone
> > explain please ?
> >
> > Thanks
> >
> > Dennis
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sat Jan 23 2010 - 22:25:57 ART