Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Re: http authentication against radius

Reply
Thread Tools

Re: http authentication against radius

 
 
r.l.
Guest
Posts: n/a
 
      11-19-2007
hello

I have removed that line from the vty config and it makes no difference.

r.


> Authentication is working fine, authorization is failing. *Get rid of the
> command "authorization exec myAuthListName" from the vty configuration.
>
>
>> > hello
>> > I am trying to make some catalyst switches talk to the Radius server

>> 
> available in MS Windows 2003; called the Internet Authentication
>> Service 
> (IAS).
>> > At the command line login to the switch it works perfectly. *Via http

>> to 
> the switch, I get from the IOS debugging, *"Authorization
>> Rejected"
>> > Switch is a 2950 model running ios 12.1 (19) EA1c. *The config is
>> > aaa new-model 
> aaa authentication login myAuthListName group radius local
>> > ip radius source-interface Vlan1 
> radius-server host 192.168.61.158

>> auth-port 1645 acct-port 1646 key 
> mysecret 
> line vty 0 15 
> login
>> authentication myAuthListName 
> authorization exec myAuthListName
>> > ip http authentication aaa
>> > in this article 
>

>> http://www.cisco.com/en/US/tech/tk59...note09186a0080...
>> 
> it 
> notes the differing config for versions of the subsystem http
>> server. *I 
> have verified that the IOS is running version 1.000.001
>> which the document 
> states uses the line config as the basis for
>> finding the auth source for 
> http auth.
>> > Again, from that article I use the following debugging:
>> > debug ip tcp transactions 
> debug modem 
> debug ip http

>> authentication 
> debug aaa authentication 
> debug aaa authorization
>> 
> debug radius
>> > All that is reported is that everything succeeds talking to the

>> radius 
> server and so on until the messages "HTTP Authentication
>> failed", "HTTP 
> Authorization Rejected". *I cannot make the debugging
>> any more verbose in 
> this respect.
>> > I have tried removing the "authorization exec ..." from the lline config.
>> > I have tried the auth with 4 browsers on two platforms: IE 6, curent

>> 
> firefox (WinXP), current Safari, current Firefox (Mac OS X).
>> *Behaviour is 
> the same in all cases. *There is no proxy in the path
>> from browser to 
> switch.
>> > I am wondering whether the connection requirements section of the IAS

>> 
> server (Membership of a Windows group), or the Service-Type
>> attribute (6 - 
> "login") is relevant and needs an addition or change.
>> *Though as I say the 
> command line version works fine.
>> > I would be very grateful for any assistance.
>> > thank you.
>> > rolf.


 
Reply With Quote
 
 
 
 
Aaron Leonard
Guest
Posts: n/a
 
      11-19-2007
Get some debugs from your attempt to access the HTTP server when
using IAS RADIUS for authentication/authorization:

debug ip tcp transactions
debug modem
debug ip http authentication
debug aaa authentication
debug aaa authorization
debug radius

Aaron

----

~ hello
~
~ I have removed that line from the vty config and it makes no difference.
~
~ r.
~
~
~ > Authentication is working fine, authorization is failing. *Get rid of the
~ > command "authorization exec myAuthListName" from the vty configuration.
~ >
~ >
~ >> > hello
~ >> > I am trying to make some catalyst switches talk to the Radius server
~ >> ?> available in MS Windows 2003; called the Internet Authentication
~ >> Service ?> (IAS).
~ >> > At the command line login to the switch it works perfectly. *Via http
~ >> to ?> the switch, I get from the IOS debugging, *"Authorization
~ >> Rejected"
~ >> > Switch is a 2950 model running ios 12.1 (19) EA1c. *The config is
~ >> > aaa new-model ?> aaa authentication login myAuthListName group radius local
~ >> > ip radius source-interface Vlan1 ?> radius-server host 192.168.61.158
~ >> auth-port 1645 acct-port 1646 key ?> mysecret ?> line vty 0 15 ?> login
~ >> authentication myAuthListName ?> authorization exec myAuthListName
~ >> > ip http authentication aaa
~ >> > in this article ?>
~ >> http://www.cisco.com/en/US/tech/tk59...note09186a0080...
~ >> ?> it ?> notes the differing config for versions of the subsystem http
~ >> server. *I ?> have verified that the IOS is running version 1.000.001
~ >> which the document ?> states uses the line config as the basis for
~ >> finding the auth source for ?> http auth.
~ >> > Again, from that article I use the following debugging:
~ >> > debug ip tcp transactions ?> debug modem ?> debug ip http
~ >> authentication ?> debug aaa authentication ?> debug aaa authorization
~ >> ?> debug radius
~ >> > All that is reported is that everything succeeds talking to the
~ >> radius ?> server and so on until the messages "HTTP Authentication
~ >> failed", "HTTP ?> Authorization Rejected". *I cannot make the debugging
~ >> any more verbose in ?> this respect.
~ >> > I have tried removing the "authorization exec ..." from the lline config.
~ >> > I have tried the auth with 4 browsers on two platforms: IE 6, curent
~ >> ?> firefox (WinXP), current Safari, current Firefox (Mac OS X).
~ >> *Behaviour is ?> the same in all cases. *There is no proxy in the path
~ >> from browser to ?> switch.
~ >> > I am wondering whether the connection requirements section of the IAS
~ >> ?> server (Membership of a Windows group), or the Service-Type
~ >> attribute (6 - ?> "login") is relevant and needs an addition or change.
~ >> *Though as I say the ?> command line version works fine.
~ >> > I would be very grateful for any assistance.
~ >> > thank you.
~ >> > rolf.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
HTTP SOAP/HTTP GET/HTTP POST milan_9211 Software 0 01-10-2011 02:10 PM
M$ against Blu-ray, M$ for Blu-ray, M$ against Blu-ray, M$ forBlu-ray, ...... Blig Merk DVD Video 66 04-27-2008 04:46 AM
http authentication against radius r.l. Cisco 2 11-18-2007 06:23 PM
HTTP Digest Authentication against Windows account Alan Dean ASP .Net Security 5 09-19-2007 02:15 PM
Cisco radius attributes with Funk Steel-Belted Radius Server David Cisco 0 11-06-2003 09:54 PM



Advertisments