http authentication against radius

Discussion in 'Cisco' started by r.l., Nov 18, 2007.

  1. r.l.

    r.l. Guest

    hello

    I am trying to make some catalyst switches talk to the Radius server
    available in MS Windows 2003; called the Internet Authentication
    Service (IAS).

    At the command line login to the switch it works perfectly. Via http
    to the switch, I get from the IOS debugging, "Authorization Rejected"

    Switch is a 2950 model running ios 12.1 (19) EA1c. The config is

    aaa new-model
    aaa authentication login myAuthListName group radius local

    ip radius source-interface Vlan1
    radius-server host 192.168.61.158 auth-port 1645 acct-port 1646 key mysecret
    line vty 0 15
    login authentication myAuthListName
    authorization exec myAuthListName

    ip http authentication aaa

    in this article
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
    it

    notes the differing config for versions of the subsystem http server.
    I have verified that the IOS is running version 1.000.001 which the
    document states uses the line config as the basis for finding the auth
    source for http auth.

    Again, from that article I use the following debugging:

    debug ip tcp transactions
    debug modem
    debug ip http authentication
    debug aaa authentication
    debug aaa authorization
    debug radius

    All that is reported is that everything succeeds talking to the radius
    server and so on until the messages "HTTP Authentication failed", "HTTP
    Authorization Rejected". I cannot make the debugging any more verbose
    in this respect.

    I have tried removing the "authorization exec ..." from the lline config.

    I have tried the auth with 4 browsers on two platforms: IE 6, curent
    firefox (WinXP), current Safari, current Firefox (Mac OS X). Behaviour
    is the same in all cases. There is no proxy in the path from browser
    to switch.

    I am wondering whether the connection requirements section of the IAS
    server (Membership of a Windows group), or the Service-Type attribute
    (6 - "login") is relevant and needs an addition or change. Though as I
    say the command line version works fine.

    I would be very grateful for any assistance.

    thank you.

    rolf.
     
    r.l., Nov 18, 2007
    #1
    1. Advertising

  2. r.l.

    Merv Guest

    On Nov 18, 7:27 am, r.l. <> wrote:
    > hello
    >
    > I am trying to make some catalyst switches talk to the Radius server
    > available in MS Windows 2003; called the Internet Authentication
    > Service (IAS).
    >
    > At the command line login to the switch it works perfectly. Via http
    > to the switch, I get from the IOS debugging, "Authorization Rejected"
    >
    > Switch is a 2950 model running ios 12.1 (19) EA1c. The config is



    Do not know the cause of your current issue.

    Just wanted to mention that it looks like Cisco has yanked support for
    the image you are using.

    It looks like the latest image is 12.1(22)EA10a
     
    Merv, Nov 18, 2007
    #2
    1. Advertising

  3. r.l.

    Thrill5 Guest

    Authentication is working fine, authorization is failing. Get rid of the
    command "authorization exec myAuthListName" from the vty configuration.


    "r.l." <> wrote in message
    news:2007111823270616807-rl@sestasgovau...
    > hello
    >
    > I am trying to make some catalyst switches talk to the Radius server
    > available in MS Windows 2003; called the Internet Authentication Service
    > (IAS).
    >
    > At the command line login to the switch it works perfectly. Via http to
    > the switch, I get from the IOS debugging, "Authorization Rejected"
    >
    > Switch is a 2950 model running ios 12.1 (19) EA1c. The config is
    >
    > aaa new-model
    > aaa authentication login myAuthListName group radius local
    >
    > ip radius source-interface Vlan1
    > radius-server host 192.168.61.158 auth-port 1645 acct-port 1646 key
    > mysecret
    > line vty 0 15
    > login authentication myAuthListName
    > authorization exec myAuthListName
    >
    > ip http authentication aaa
    >
    > in this article
    > http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
    > it
    > notes the differing config for versions of the subsystem http server. I
    > have verified that the IOS is running version 1.000.001 which the document
    > states uses the line config as the basis for finding the auth source for
    > http auth.
    >
    > Again, from that article I use the following debugging:
    >
    > debug ip tcp transactions
    > debug modem
    > debug ip http authentication
    > debug aaa authentication
    > debug aaa authorization
    > debug radius
    >
    > All that is reported is that everything succeeds talking to the radius
    > server and so on until the messages "HTTP Authentication failed", "HTTP
    > Authorization Rejected". I cannot make the debugging any more verbose in
    > this respect.
    >
    > I have tried removing the "authorization exec ..." from the lline config.
    >
    > I have tried the auth with 4 browsers on two platforms: IE 6, curent
    > firefox (WinXP), current Safari, current Firefox (Mac OS X). Behaviour is
    > the same in all cases. There is no proxy in the path from browser to
    > switch.
    >
    > I am wondering whether the connection requirements section of the IAS
    > server (Membership of a Windows group), or the Service-Type attribute (6 -
    > "login") is relevant and needs an addition or change. Though as I say the
    > command line version works fine.
    >
    > I would be very grateful for any assistance.
    >
    > thank you.
    >
    > rolf.
    >
    >
     
    Thrill5, Nov 18, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,190
  2. Scott
    Replies:
    1
    Views:
    8,981
    ScottF
    Aug 4, 2004
  3. r.l.
    Replies:
    1
    Views:
    555
    Aaron Leonard
    Nov 19, 2007
  4. Blig Merk
    Replies:
    66
    Views:
    1,966
    StickThatInYourPipeAndSmokeIt
    Apr 27, 2008
  5. milan_9211

    HTTP SOAP/HTTP GET/HTTP POST

    milan_9211, Jan 10, 2011, in forum: Software
    Replies:
    0
    Views:
    3,218
    milan_9211
    Jan 10, 2011
Loading...

Share This Page