Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

cisco 2950 and http authentication with Tacacs+ server

Status
Not open for further replies.
geoffo0

geoffo0

Technical User
May 11, 2004
3
GB
Hi :)
Anyone familiar with setting up 2950's to talk to Cisco ACS servers (Tacacs+)
does anyone know how to set up http access for 2950's using a recently installed Tacac server?
We have recently set up this Cisco ACS tacac+ and all works ok , it authenticates , authorises and logs (accounts) fine . However , as well as cli we like to use the web interface and cna to manage some aspects of the switches , this now does not work since the ACS Tacac+ installation.I've tries turning it on with
ip http authentication enable but this only allows access with the local username and password (which should not be picked up this way)
I've also tried
ip http authentication aaa
tacac
local
enable
but only enable allows us on , but not with our tacacs+ (lnked to our active dirctory accounts) username and passwords .Any help would be much appreciated , as would the question how does the local username and password let us in again , when the device should use tacacs in first instance.

We have found failed logins from our support company (BT) who we have proactive management with on core switches only, and may have changed things through their RW snmp .

mmmm computer says No
 
Sort by date Sort by votes
Try these commands , these are right from CCO for IOS above 12.0.5T .

aaa new-model
aaa authentication login default group tacacs+
aaa authorization exec default group tacacs+
ip http server
ip http authentication aaa
tacacs-server host <address>
tacacs-server key <keyword>
 
Upvote 0 Downvote
The problem is you need level 15 privilege by default to access the Web interface (bypassing entering enable password etc). You can do this by setting the Users default privilege level in ACS, bear in mind this will apply when you login via telnet as well - i.e. you won't need to enter the enable password you will already be at the '#' prompt as opposed to the '>' prompt

Andy
 
Upvote 0 Downvote
Thanks both very much for the reply .I still seem to have problems with the web browser though .Looking at my ACS logs my initial access goes through OK, and shows as a passed authentication ,However the level 15 access is denied .The commands on the switch are
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default if-authenticated
aaa accounting exec default start-stop group default
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
username xxxxxx password 7 xxxxxxxxxxxxxxx
tacacs-server host 10.115.32.206
tacacs-server key xxxxxxxxxx
ip http server
ip http authentication aaa


I have created a local user in case the Tacac+ server fails and I need access to the switch . We have about 150 of these 2950's so I need to persevere with this as a couple of the team only use this method to make vlan changes etc.

Any ideas.Could it be a problem with my ACS configuration ?

mmmm computer says No
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
352
CPM86
CPM86
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
216
badwolf1686
B
pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
576
nt8d09
nt8d09
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
568
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
542
Jared R
Jared R

Part and Inventory Search

Sponsor

Back
Top