Re: http authentication against radius

Discussion in 'Cisco' started by r.l., Nov 19, 2007.

  1. r.l.

    r.l. Guest

    hello

    I have removed that line from the vty config and it makes no difference.

    r.


    > Authentication is working fine, authorization is failing.  Get rid of the
    > command "authorization exec myAuthListName" from the vty configuration.
    >
    >
    >> > hello
    >> > I am trying to make some catalyst switches talk to the Radius server

    >> 
> available in MS Windows 2003; called the Internet Authentication
    >> Service 
> (IAS).
    >> > At the command line login to the switch it works perfectly.  Via http

    >> to 
> the switch, I get from the IOS debugging,  "Authorization
    >> Rejected"
    >> > Switch is a 2950 model running ios 12.1 (19) EA1c.  The config is
    >> > aaa new-model 
> aaa authentication login myAuthListName group radius local
    >> > ip radius source-interface Vlan1 
> radius-server host 192.168.61.158

    >> auth-port 1645 acct-port 1646 key 
> mysecret 
> line vty 0 15 
> login
    >> authentication myAuthListName 
> authorization exec myAuthListName
    >> > ip http authentication aaa
    >> > in this article 
>

    >> http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080...
    >> 
> it 
> notes the differing config for versions of the subsystem http
    >> server.  I 
> have verified that the IOS is running version 1.000.001
    >> which the document 
> states uses the line config as the basis for
    >> finding the auth source for 
> http auth.
    >> > Again, from that article I use the following debugging:
    >> > debug ip tcp transactions 
> debug modem 
> debug ip http

    >> authentication 
> debug aaa authentication 
> debug aaa authorization
    >> 
> debug radius
    >> > All that is reported is that everything succeeds talking to the

    >> radius 
> server and so on until the messages "HTTP Authentication
    >> failed", "HTTP 
> Authorization Rejected".  I cannot make the debugging
    >> any more verbose in 
> this respect.
    >> > I have tried removing the "authorization exec ..." from the lline config.
    >> > I have tried the auth with 4 browsers on two platforms: IE 6, curent

    >> 
> firefox (WinXP), current Safari, current Firefox (Mac OS X).
    >>  Behaviour is 
> the same in all cases.  There is no proxy in the path
    >> from browser to 
> switch.
    >> > I am wondering whether the connection requirements section of the IAS

    >> 
> server (Membership of a Windows group), or the Service-Type
    >> attribute (6 - 
> "login") is relevant and needs an addition or change.
    >>  Though as I say the 
> command line version works fine.
    >> > I would be very grateful for any assistance.
    >> > thank you.
    >> > rolf.
     
    r.l., Nov 19, 2007
    #1
    1. Advertising

  2. Get some debugs from your attempt to access the HTTP server when
    using IAS RADIUS for authentication/authorization:

    debug ip tcp transactions
    debug modem
    debug ip http authentication
    debug aaa authentication
    debug aaa authorization
    debug radius

    Aaron

    ----

    ~ hello
    ~
    ~ I have removed that line from the vty config and it makes no difference.
    ~
    ~ r.
    ~
    ~
    ~ > Authentication is working fine, authorization is failing.  Get rid of the
    ~ > command "authorization exec myAuthListName" from the vty configuration.
    ~ >
    ~ >
    ~ >> > hello
    ~ >> > I am trying to make some catalyst switches talk to the Radius server
    ~ >> ?> available in MS Windows 2003; called the Internet Authentication
    ~ >> Service ?> (IAS).
    ~ >> > At the command line login to the switch it works perfectly.  Via http
    ~ >> to ?> the switch, I get from the IOS debugging,  "Authorization
    ~ >> Rejected"
    ~ >> > Switch is a 2950 model running ios 12.1 (19) EA1c.  The config is
    ~ >> > aaa new-model ?> aaa authentication login myAuthListName group radius local
    ~ >> > ip radius source-interface Vlan1 ?> radius-server host 192.168.61.158
    ~ >> auth-port 1645 acct-port 1646 key ?> mysecret ?> line vty 0 15 ?> login
    ~ >> authentication myAuthListName ?> authorization exec myAuthListName
    ~ >> > ip http authentication aaa
    ~ >> > in this article ?>
    ~ >> http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080...
    ~ >> ?> it ?> notes the differing config for versions of the subsystem http
    ~ >> server.  I ?> have verified that the IOS is running version 1.000.001
    ~ >> which the document ?> states uses the line config as the basis for
    ~ >> finding the auth source for ?> http auth.
    ~ >> > Again, from that article I use the following debugging:
    ~ >> > debug ip tcp transactions ?> debug modem ?> debug ip http
    ~ >> authentication ?> debug aaa authentication ?> debug aaa authorization
    ~ >> ?> debug radius
    ~ >> > All that is reported is that everything succeeds talking to the
    ~ >> radius ?> server and so on until the messages "HTTP Authentication
    ~ >> failed", "HTTP ?> Authorization Rejected".  I cannot make the debugging
    ~ >> any more verbose in ?> this respect.
    ~ >> > I have tried removing the "authorization exec ..." from the lline config.
    ~ >> > I have tried the auth with 4 browsers on two platforms: IE 6, curent
    ~ >> ?> firefox (WinXP), current Safari, current Firefox (Mac OS X).
    ~ >>  Behaviour is ?> the same in all cases.  There is no proxy in the path
    ~ >> from browser to ?> switch.
    ~ >> > I am wondering whether the connection requirements section of the IAS
    ~ >> ?> server (Membership of a Windows group), or the Service-Type
    ~ >> attribute (6 - ?> "login") is relevant and needs an addition or change.
    ~ >>  Though as I say the ?> command line version works fine.
    ~ >> > I would be very grateful for any assistance.
    ~ >> > thank you.
    ~ >> > rolf.
     
    Aaron Leonard, Nov 19, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. a.nonny mouse
    Replies:
    2
    Views:
    1,135
  2. Scott
    Replies:
    1
    Views:
    8,904
    ScottF
    Aug 4, 2004
  3. r.l.
    Replies:
    2
    Views:
    631
    Thrill5
    Nov 18, 2007
  4. Blig Merk
    Replies:
    66
    Views:
    1,877
    StickThatInYourPipeAndSmokeIt
    Apr 27, 2008
  5. milan_9211

    HTTP SOAP/HTTP GET/HTTP POST

    milan_9211, Jan 10, 2011, in forum: Software
    Replies:
    0
    Views:
    3,154
    milan_9211
    Jan 10, 2011
Loading...

Share This Page