This document shows how to configure local, TACACS+, and RADIUS authentication of the HTTP connection. Some relevant debugging commands are also provided.
For more information on document conventions, see the Cisco Technical Tips Conventions.
There are no specific prerequisites for this document.
The information in this document is based on the software and hardware versions below.
Cisco IOS® Software Releases 11.2 or later
Hardware that supports these software revisions
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
In Cisco IOS® Software Release 11.2, a feature to manage the router through HTTP was added. The "Cisco IOS Web Browser Commands" section of the Cisco IOS Configuration Fundamentals Command Reference includes the following information about this feature.
"The ip http authentication command enables you to specify a particular authentication method for HTTP server users. The HTTP server uses the enable password method to authenticate a user at privilege level 15. The ip http authentication command now lets you specify enable, local, TACACS, or authentication, authorization, and accounting (AAA) HTTP server user authentication."
In this section, you are presented with the information to configure the features described in this document.
This document uses the configurations shown below.
Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .
Local Authentication with Cisco IOS Software Release 11.2 |
---|
!--- This is the part of the configuration related to local authentication. ! aaa new-model aaa authentication login default local aaa authorization exec local username one privilege 15 password one username three password three username four privilege 7 password four ip http server ip http authentication aaa ! !--- Example of command moved from level 15 (enable) to level 7 ! privilege exec level 7 clear line |
Local Authentication with Cisco IOS Software Releases 11.3.3.T or later |
---|
!--- This is the part of the configuration !--- related to local authentication. ! aaa new-model aaa authentication login default local aaa authorization exec default local username one privilege 15 password one username three password three username four privilege 7 password four ip http server ip http authentication local ! !--- Example of command moved from level 15 (enable) to level 7 ! privilege exec level 7 clear line |
These results apply to the users in the previous router configurations.
User One
User will pass web authorization if URL is entered as http://#.#.#.#.
After Telnet to the router, user can perform all commands after login authentication.
User will be in enable mode after login (show privilege will be 15).
If command authorization is added to the router, user will still succeed in all commands.
User Three
User will fail web authorization due to not having a privilege level.
After Telnet to the router, user can perform all commands after login authentication.
User will be in non-enable mode after login (show privilege will be 1).
If command authorization is added to the router, user will still succeed in all commands.
User Four
User will pass web authorization if URL is entered as http://#.#.#.#/level/7/exec.
Level 1 commands plus the level 7 clear line command will appear.
After Telnet to the router, user can perform all commands after login authentication.
User will be at privilege level 7 after login (show privilege will be 7)
If command authorization is added to the router, user will still succeed in all commands.
Authentication with Cisco IOS Software Release 11.2 |
---|
aaa new-model aaa authentication login default tacacs+ aaa authorization exec tacacs+ ip http server ip http authentication aaa tacacs-server host 171.68.118.101 tacacs-server key cisco !--- Example of command moved from level 15 (enable) to level 7 privilege exec level 7 clear line |
Authentication with Cisco IOS Software Releases 11.3.3.T to 12.0.5.T |
---|
aaa new-model aaa authentication login default tacacs+ aaa authorization exec default tacacs ip http server ip http authentication aaa|tacacs tacacs-server host 171.68.118.101 tacacs-server key cisco !--- Example of command moved from level 15 (enable) to level 7 privilege exec level 7 clear line |
Authentication with Cisco IOS Software Releases 12.0.5.T and Later |
---|
aaa new-model aaa authentication login default group tacacs+ aaa authorization exec default group tacacs+ ip http server ip http authentication aaa tacacs-server host 171.68.118.101 tacacs-server key cisco !--- Example of command moved from level 15 (enable) to level 7 privilege exec level 7 clear line |
The following results apply to the users in the server configurations below.
User One
User will pass web authorization if URL is entered as http://#.#.#.#.
After Telnet to the router, user can perform all commands after login authentication.
User will be in enable mode after login (show privilege will be 15).
If command authorization is added to the router, user will still succeed in all commands.
User Two
User will pass web authorization if URL is entered as http://#.#.#.#.
After Telnet to the router, user can perform all commands after login authentication.
User will be in enable mode after login (show privilege will be 15).
If command authorization is added to the router, user will fail all commands as the server configuration does not authorize them.
User Three
User will fail web authorization due to not having a privilege level.
After Telnet to the router, user can perform all commands after login authentication.
User will be in non-enable mode after login (show privilege will be 1).
If command authorization is added to the router, user will still succeed in all commands.
User Four
User will pass web authorization if URL is entered as http://#.#.#.#/level/7/exec.
Level 1 commands plus the level 7 clear line command will appear.
After Telnet to the router, user can perform all commands after login authentication.
User will be at privilege level 7 after login (show privilege will be 7)
If command authorization is added to the router, user will still succeed in all commands.
user = one { default service = permit login = cleartext "one" service = exec { priv-lvl = 15 } } user = two { login = cleartext "two" service = exec { priv-lvl = 15 } } user = three { default service = permit login = cleartext "three" } user = four { default service = permit login = cleartext "four" service = exec { priv-lvl = 7 } }
# ./ViewProfile -p 9900 -u one User Profile Information user = one{ profile_id = 27 profile_cycle = 1 password = clear "********" default service=permit service=shell { set priv-lvl=15 } } # ./ViewProfile -p 9900 -u two User Profile Information user = two{ profile_id = 28 profile_cycle = 1 password = clear "********" service=shell { set priv-lvl=15 } } # ./ViewProfile -p 9900 -u three User Profile Information user = three{ profile_id = 29 profile_cycle = 1 password = clear "********" default service=permit } # ./ViewProfile -p 9900 -u four User Profile Information user = four{ profile_id = 30 profile_cycle = 1 password = clear "********" default service=permit service=shell { set priv-lvl=7 } }
User One in Group One
Group Settings
Check shell (exec).
Check privilege level=15.
Check Default (Undefined) Services.
Note: If this option does not appear, go to Interface Configuration and select TACACS+ and then Advanced Configuration Options. Choose Display enable default (undefined) service configuration.
User Settings
Password from whichever database; enter password and confirm in top area.
User Two in Group Two
Group Settings
Check shell (exec).
Check privilege level=15.
Do not check Default (Undefined) Services.
User Settings
Password from whichever database; enter password and confirm in top area.
User Three in Group Three
Group Settings
Check shell (exec).
Leave privilege level blank.
Check Default (Undefined) Services.
Note: If this option does not appear, go to Interface Configuration and select TACACS+ and then Advanced Configuration Options. Choose Display enable default (undefined) service configuration.
User Settings
Password from whichever database; enter password and confirm in top area.
User Four in Group Four
Group Settings
Check shell (exec).
Check privilege level=7.
Check Default (Undefined) Services.
Note: If this option does not appear, go to Interface Configuration and select TACACS+ and then Advanced Configuration Options. Choose Display enable default (undefined) service configuration.
User Settings
Password from whichever database; enter password and confirm in top area.
Authentication with Cisco IOS Software Release 11.2 |
---|
aaa new-model aaa authentication login default radius aaa authorization exec radius ip http server ip http authentication aaa ! !--- Example of command moved from level 15 (enable) to level 7 ! privilege exec level 7 clear line radius-server host 171.68.118.101 radius-server key cisco |
Authentication with Cisco IOS Software Releases 11.3.3.T to 12.0.5.T |
---|
aaa new-model aaa authentication login default radius aaa authorization exec default radius ip http server ip http authentication aaa radius-server host 171.68.118.101 auth-port 1645 acct-port 1646 radius-server key cisco privilege exec level 7 clear line |
Authentication with Cisco IOS Software Releases 12.0.5.T and Later |
---|
aaa new-model aaa authentication login default group radius aaa authorization exec default group radius ip http server ip http authentication aaa radius-server host 171.68.118.101 auth-port 1645 acct-port 1646 radius-server key cisco privilege exec level 7 clear line |
The following results apply to the users in the server configurations below.
User One
User will pass web authorization if URL is entered as http://#.#.#.#.
After Telnet to the router, user can perform all commands after login authentication.
User will be in enable mode after login (show privilege will be 15).
User Three
User will fail web authorization due to not having a privilege level.
After Telnet to the router, user can perform all commands after login authentication.
User will be in non-enable mode after login (show privilege will be 1).
User Four
User will pass web authorization if URL is entered as http://#.#.#.#/level/7/exec.
Level 1 commands plus the level 7 clear line command will appear.
After Telnet to the router, user can perform all commands after login authentication.
User will be at privilege level 7 after login (show privilege will be 7)
one Password= "one" Service-Type = Shell-User cisco-avpair = "shell:priv-lvl=15" three Password = "three" Service-Type = Login-User four Password= "four" Service-Type = Login-User cisco-avpair = "shell:priv-lvl=7"
# ./ViewProfile -p 9900 -u one User Profile Information user = one{ profile_id = 31 set server current-failed-logins = 0 profile_cycle = 3 radius=Cisco { check_items= { 2="one" } reply_attributes= { 6=6 } } } # ./ViewProfile -p 9900 -u three User Profile Information user = three{ profile_id = 32 set server current-failed-logins = 0 profile_cycle = 3 radius=Cisco { check_items= { 2="three" } reply_attributes= { 6=1 } } } # ./ViewProfile -p 9900 -u four User Profile Information user = four{ profile_id = 33 profile_cycle = 1 radius=Cisco { check_items= { 2="four" } reply_attributes= { 6=1 9,1="shell:priv-lvl=7" } } }
User = one, service type (attribute 6) = administrative
User = three, service type (attribute 6) = login
User = four, service type (attribute 6) = login, check the Cisco AV-pairs box and enter shell:priv-lvl=7
There is currently no verification procedure available for this configuration.
This section provides information you can use to troubleshoot your configuration.
The following commands are useful for debugging HTTP authentication. They are issued on the router.
Note: Before issuing debug commands, please see Important Information on Debug Commands.
terminal monitor - Displays debug command output and system error messages for the current terminal and session.
debug aaa authentication - Displays information on AAA/TACACS+ authentication.
debug aaa authorization - Displays information on AAA/TACACS+ authorization.
debug radius - Displays detailed debugging information associated with RADIUS.
debug tacacs - Displays information associated with TACACS.
debug ip http authentication - Use this command to troubleshoot HTTP authentication problems. Displays the authentication method the router attempted and authentication-specific status messages.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
14-May-2009 |
Initial Release |