Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > http authentication against radius

Reply
Thread Tools

http authentication against radius

 
 
r.l.
Guest
Posts: n/a
 
      11-18-2007
hello

I am trying to make some catalyst switches talk to the Radius server
available in MS Windows 2003; called the Internet Authentication
Service (IAS).

At the command line login to the switch it works perfectly. Via http
to the switch, I get from the IOS debugging, "Authorization Rejected"

Switch is a 2950 model running ios 12.1 (19) EA1c. The config is

aaa new-model
aaa authentication login myAuthListName group radius local

ip radius source-interface Vlan1
radius-server host 192.168.61.158 auth-port 1645 acct-port 1646 key mysecret
line vty 0 15
login authentication myAuthListName
authorization exec myAuthListName

ip http authentication aaa

in this article
http://www.cisco.com/en/US/tech/tk59...8069bdc5.shtml
it

notes the differing config for versions of the subsystem http server.
I have verified that the IOS is running version 1.000.001 which the
document states uses the line config as the basis for finding the auth
source for http auth.

Again, from that article I use the following debugging:

debug ip tcp transactions
debug modem
debug ip http authentication
debug aaa authentication
debug aaa authorization
debug radius

All that is reported is that everything succeeds talking to the radius
server and so on until the messages "HTTP Authentication failed", "HTTP
Authorization Rejected". I cannot make the debugging any more verbose
in this respect.

I have tried removing the "authorization exec ..." from the lline config.

I have tried the auth with 4 browsers on two platforms: IE 6, curent
firefox (WinXP), current Safari, current Firefox (Mac OS X). Behaviour
is the same in all cases. There is no proxy in the path from browser
to switch.

I am wondering whether the connection requirements section of the IAS
server (Membership of a Windows group), or the Service-Type attribute
(6 - "login") is relevant and needs an addition or change. Though as I
say the command line version works fine.

I would be very grateful for any assistance.

thank you.

rolf.


 
Reply With Quote
 
 
 
 
Merv
Guest
Posts: n/a
 
      11-18-2007
On Nov 18, 7:27 am, r.l. <(E-Mail Removed)> wrote:
> hello
>
> I am trying to make some catalyst switches talk to the Radius server
> available in MS Windows 2003; called the Internet Authentication
> Service (IAS).
>
> At the command line login to the switch it works perfectly. Via http
> to the switch, I get from the IOS debugging, "Authorization Rejected"
>
> Switch is a 2950 model running ios 12.1 (19) EA1c. The config is



Do not know the cause of your current issue.

Just wanted to mention that it looks like Cisco has yanked support for
the image you are using.

It looks like the latest image is 12.1(22)EA10a


 
Reply With Quote
 
 
 
 
Thrill5
Guest
Posts: n/a
 
      11-18-2007
Authentication is working fine, authorization is failing. Get rid of the
command "authorization exec myAuthListName" from the vty configuration.


"r.l." <(E-Mail Removed)> wrote in message
news:2007111823270616807-rl@sestasgovau...
> hello
>
> I am trying to make some catalyst switches talk to the Radius server
> available in MS Windows 2003; called the Internet Authentication Service
> (IAS).
>
> At the command line login to the switch it works perfectly. Via http to
> the switch, I get from the IOS debugging, "Authorization Rejected"
>
> Switch is a 2950 model running ios 12.1 (19) EA1c. The config is
>
> aaa new-model
> aaa authentication login myAuthListName group radius local
>
> ip radius source-interface Vlan1
> radius-server host 192.168.61.158 auth-port 1645 acct-port 1646 key
> mysecret
> line vty 0 15
> login authentication myAuthListName
> authorization exec myAuthListName
>
> ip http authentication aaa
>
> in this article
> http://www.cisco.com/en/US/tech/tk59...8069bdc5.shtml
> it
> notes the differing config for versions of the subsystem http server. I
> have verified that the IOS is running version 1.000.001 which the document
> states uses the line config as the basis for finding the auth source for
> http auth.
>
> Again, from that article I use the following debugging:
>
> debug ip tcp transactions
> debug modem
> debug ip http authentication
> debug aaa authentication
> debug aaa authorization
> debug radius
>
> All that is reported is that everything succeeds talking to the radius
> server and so on until the messages "HTTP Authentication failed", "HTTP
> Authorization Rejected". I cannot make the debugging any more verbose in
> this respect.
>
> I have tried removing the "authorization exec ..." from the lline config.
>
> I have tried the auth with 4 browsers on two platforms: IE 6, curent
> firefox (WinXP), current Safari, current Firefox (Mac OS X). Behaviour is
> the same in all cases. There is no proxy in the path from browser to
> switch.
>
> I am wondering whether the connection requirements section of the IAS
> server (Membership of a Windows group), or the Service-Type attribute (6 -
> "login") is relevant and needs an addition or change. Though as I say the
> command line version works fine.
>
> I would be very grateful for any assistance.
>
> thank you.
>
> rolf.
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
HTTP SOAP/HTTP GET/HTTP POST milan_9211 Software 0 01-10-2011 02:10 PM
M$ against Blu-ray, M$ for Blu-ray, M$ against Blu-ray, M$ forBlu-ray, ...... Blig Merk DVD Video 66 04-27-2008 04:46 AM
Re: http authentication against radius r.l. Cisco 1 11-19-2007 06:29 PM
HTTP Digest Authentication against Windows account Alan Dean ASP .Net Security 5 09-19-2007 02:15 PM
Cisco radius attributes with Funk Steel-Belted Radius Server David Cisco 0 11-06-2003 09:54 PM



Advertisments