ip http authentication local

Discussion in 'Cisco' started by tony, Sep 8, 2006.

  1. tony

    tony Guest

    I tried to login via web interface using a local user define but cannot log
    in. I can however telnet in with that username though.

    why can I not login with the username I created via http?
    tony, Sep 8, 2006
    #1
    1. Advertising

  2. tony

    Merv Guest

    did you enable aaa ?



    aaa new-model
    aaa authentication login default local
    aaa authorization exec default local
    username cisco secret cisco
    ip http server
    ip http authentication local



    post show version and config
    Merv, Sep 8, 2006
    #2
    1. Advertising

  3. In article <eds91e$3tb$>, tony <> wrote:
    >I tried to login via web interface using a local user define but cannot log
    >in. I can however telnet in with that username though.


    >why can I not login with the username I created via http?


    Which device, which software release?
    Walter Roberson, Sep 8, 2006
    #3
  4. tony

    tony Guest

    I have to enable aaa? I am using local users. Shown below is the config. Its
    a layer 2 network. It the config below sufficient? please comment

    Thanks

    #sh ver
    Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I9S-M),
    Version 12.2(25)EWA6, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2006 by Cisco Systems, Inc.
    Compiled Fri 02-Jun-06 15:20 by ssearch
    Image text-base: 0x10000000, data-base: 0x114ED458

    ROM: 12.2(20r)EW1
    Dagobah Revision 226, Swamp Revision 34

    edu-barnum-c4506 uptime is 1 day, 54 minutes
    System returned to ROM by reload
    System restarted at 10:29:39 UTC Thu Sep 7 2006
    System image file is "bootflash:"

    cisco WS-C4506 (MPC8245) processor (revision 10) with 262144K bytes of
    memory.
    Processor board ID FOX1021013E
    MPC8245 CPU at 266Mhz, Supervisor II+
    Last reset from Reload
    1 Virtual Ethernet interface
    146 Gigabit Ethernet interfaces
    511K bytes of non-volatile configuration memory.

    Configuration register is 0x2101
    --------------------------------------------------------------------------------------------
    #sh config
    Using 1767 out of 524280 bytes, uncompressed size = 5796 bytes
    Uncompressed configuration from 1767 bytes to 5796 bytes
    !
    ! Last configuration change at 10:21:53 UTC Fri Sep 8 2006
    ! NVRAM config last updated at 10:22:27 UTC Fri Sep 8 2006
    !
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log datetime
    service password-encryption
    service compress-config
    service sequence-numbers
    !
    hostname c4506
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
    !
    username admin secret 5 xxxxxxxxxxxxxxxxxxx
    !
    no aaa new-model
    clock timezone UTC -8
    clock summer-time UTC recurring
    vtp domain ''
    vtp mode transparent
    ip subnet-zero
    !
    !
    no file verify auto
    spanning-tree mode pvst
    spanning-tree extend system-id
    power redundancy-mode redundant
    !
    !
    !
    vlan internal allocation policy ascending
    !
    interface GigabitEthernet1/1
    !
    interface GigabitEthernet1/2
    !
    interface GigabitEthernet2/1
    ..
    ..
    ..
    ..
    ..
    interface GigabitEthernet4/47
    !
    interface GigabitEthernet4/48
    !
    interface Vlan1
    ip address dhcp
    !
    ip http server
    ip http access-class 1
    !
    !
    access-list 1 permit x.x.x.x
    !
    !
    !
    line con 0
    password 7 0020180C544C240C04
    login
    stopbits 1
    line vty 0 1
    access-class 1 in
    password 7 15011E1F017B7977
    login local
    line vty 2 4
    no login
    !
    ntp clock-period 17179383
    ntp server x.x.x.x key 0 prefer
    ntp server y.y.y.y key 0
    ntp server z.z.z.z key 0
    !
    end


    "Merv" <> wrote in message
    news:...
    >
    > did you enable aaa ?
    >
    >
    >
    > aaa new-model
    > aaa authentication login default local
    > aaa authorization exec default local
    > username cisco secret cisco
    > ip http server
    > ip http authentication local
    >
    >
    >
    > post show version and config
    >
    tony, Sep 8, 2006
    #4
  5. tony

    Merv Guest

    Merv, Sep 8, 2006
    #5
  6. tony

    tony Guest

    The only problem with this is the user I am using gets privilege 15 on both
    telnet and http. not just http.


    "Merv" <> wrote in message
    news:...
    >
    > tony wrote:
    >> I have to enable aaa? I am using local users. Shown below is the config.
    >> Its
    >> a layer 2 network. It the config below sufficient? please comment

    >
    > you MUST enable aaa
    >
    > see
    >
    > http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K34241203
    >
    tony, Sep 8, 2006
    #6
  7. tony

    Merv Guest

    try username <> privilege <level> secret <>
    Merv, Sep 8, 2006
    #7
  8. tony

    Merv Guest

    What is the end goal that your are trying to achieve ?
    Merv, Sep 8, 2006
    #8
  9. tony

    tony Guest

    I dont want anyuser with the ability to be able to telnet and get privilege
    15.
    at the same time I want users be able to authenticate to get http access
    any user that telnet in should only get privilege 1. enable password to get
    to 15.

    does it make sense?

    Thanks
    "Merv" <> wrote in message
    news:...
    > What is the end goal that your are trying to achieve ?
    >
    tony, Sep 9, 2006
    #9
  10. tony

    BernieM Guest


    > "Merv" <> wrote in message
    > news:...
    >>
    >> tony wrote:
    >>> I have to enable aaa? I am using local users. Shown below is the config.
    >>> Its
    >>> a layer 2 network. It the config below sufficient? please comment

    >>
    >> you MUST enable aaa
    >>
    >> see
    >>
    >> http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K34241203
    >>

    >


    "tony" <> wrote in message
    news:edsojs$itg$...
    > The only problem with this is the user I am using gets privilege 15 on
    > both telnet and http. not just http.
    >
    >


    What difference does it make if they also have privilege level 15 on telnet
    if they have it on http? The http interface allows you to run any command.

    BernieM
    BernieM, Sep 9, 2006
    #10
  11. tony

    Brian V Guest

    "Merv" <> wrote in message
    news:...
    >
    > tony wrote:
    >> I have to enable aaa? I am using local users. Shown below is the config.
    >> Its
    >> a layer 2 network. It the config below sufficient? please comment

    >
    > you MUST enable aaa
    >
    > see
    >
    > http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K34241203
    >


    no need for aaa when using local:
    "ip http authentication local"

    -Brian
    Brian V, Sep 9, 2006
    #11
  12. tony

    Merv Guest

    Then I would configure each username with provilege level 1 in the
    username command
    Merv, Sep 9, 2006
    #12
  13. tony

    tony Guest

    Is it possible to limit or prevent which user can run enable command?

    "Merv" <> wrote in message
    news:...
    > Then I would configure each username with provilege level 1 in the
    > username command
    >
    tony, Sep 11, 2006
    #13
  14. tony

    BernieM Guest

    "tony" <> wrote in message
    news:ee4ia8$t1i$...
    >
    > Is it possible to limit or prevent which user can run enable command?
    >
    > "Merv" <> wrote in message
    > news:...
    >> Then I would configure each username with provilege level 1 in the
    >> username command
    >>

    >
    >


    yes, don't give the enable password to people you don't want going to enable
    mode.
    BernieM, Sep 12, 2006
    #14
  15. tony

    Merv Guest

    Merv, Sep 12, 2006
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. sharqi

    aaa authentication via http

    sharqi, Dec 15, 2003, in forum: Cisco
    Replies:
    0
    Views:
    599
    sharqi
    Dec 15, 2003
  2. Gerhard Vogler
    Replies:
    1
    Views:
    2,200
    Gerhard Vogler
    Jan 29, 2004
  3. a.nonny mouse
    Replies:
    2
    Views:
    1,075
  4. Scott
    Replies:
    1
    Views:
    8,849
    ScottF
    Aug 4, 2004
  5. milan_9211

    HTTP SOAP/HTTP GET/HTTP POST

    milan_9211, Jan 10, 2011, in forum: Software
    Replies:
    0
    Views:
    3,056
    milan_9211
    Jan 10, 2011
Loading...

Share This Page