Aaa authentication for https access

I have several Catalyst 3750 switches that I'm running Tacacs on. I set the switch up to be an http server so that some of our admins could administer the switches through the web gui. Is it possible to login to the web console via your Tacacs login (in our case, our Windows username/password)? I found the "ip http authentication aaa" command but this doesn't seem to do it. I just don't want to share the local passwords if I don't have to.
Thanks in advance,
Eric

My experience of the web interface is that it uses the local password on the device and not the aaa authentication IDs and passwords.
HTH
Rick

Similar Messages

AAA authentication for IDS access?

I've been implementing a new SSM-20 I haven't found anything that indicates we can use RADIUS to authenticate users logging into the GUI or telnet/ssh. Am I missing something here?

You expectations are quite reasonable but regretably, Cisco ONLY supports local authentication on the IPS Sensor platform (4200 series, CIDS, IDSM-2 and SSM).
This has been discussed in the past:
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddef483

AAA Authentication for Traffic Passing through ASA

I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
Am I missing something?
firewall# show run aaa
aaa authentication http console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication match guestnetwork_access guestnetwork RADIUS
aaa authentication secure-http-client
firewall# show access-li guestnetwork_access
access-list guestnetwork_access; 2 elements
access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
firewall# show run aaa-s
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.250.14
key xxxxx
firewall# show run http
http server enable

your definition for the aaa-server is different to the aaa authentication server-group
try
aaa authentication http console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL

Radius authentication for privileged access

Hello,
          I have configured Cisco 6513 for radius authentication with following commands.
aaa new-model
aaa authentication login authradius group radius line
aaa accounting exec acctradius start-stop group radius
radius-server host <radius-ip> auth-port 1812 acct-port 1646 key 6912911
line vty 0 4
accounting exec acctradius
login authentication authradius
     This is working pretty fine. I want to configure radius authentication for priviledged access / for enable access.
     I am using TeKRadius as Radius server.
     Please help.
Thanks and Regards,
Pratik

Hi Pratik
Sorry I mostly use only TACACS+ for AAA as it provides better granularity of access controls.
You'll need to make some specific changes to your RADIUS config so that nominated users ( the ones you want to be able to go to enable mode ) get put straight into enable mode upon login.
There's a guide here http://www.blindhog.net/cisco-aaa-login-authentication-with-radius-ms-ias/ which details the steps if you're using the Microsoft IAS radius server - you should be able to figure out that changes you need to make to your own server from there.
Nick
Message was edited by: NickNac79 - Spelt the OP's name wrong, sorry.

AAA authentication for networking devices using ACS 4.1 SE

Hi!!!
I want to perform AAA authentication for networking devices using ACS 4.1 SE.
I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
For all users i need to have different privilege levels based upon which access will be granted.
could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

Pradeep,
Are you planning MAC authentication for some users while using EAP for others?
For MAC authentication, just use the following in your AP.
aaa authentication login mac_methods group radius
In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
In your SSID configuration, under client authentication settings,
check "open authentication" and also select "MAC Authentication" from the drop-down list.
If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
You will not need to change anything in XP.
NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
HTH

Create Apps for HTTP access

Hi,
Is there a way to create apps for HTTP access instead of using UNC?
And have it access via Application Explorer?
Thanks,
Harold

Do you mean an app to launch a web page via IE/NetScape?
Just run "IEXPLORE.EXE" with the webpage as the parameter.
Of do you mean HTTP connectivity for the workstation to run an app?
The 2nd starts to exist in ZFD4 in some fashion , but not ZFD3.
[email protected] wrote:
> Hi,
>
> Is there a way to create apps for HTTP access instead of using UNC?
> And have it access via Application Explorer?
>
> Thanks,
> Harold

ISE - AAA radius authentication for NAD access

Hi ,
I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
While testing the login access to the switches we've come up with 2 results :
1.A domain user can indeed login to the switch as intended.
2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
of the IT_department only .
I haven't been successfull , would appreciate any ideas on how to accomplish this .
Switch configurations :
=================
aaa new-model
aaa authentication login default group radius local
ISE Authentication policy
==================
Policy Name : NADs Authentication
Condition: "DEVICE:Device Type Equals :All Device Types#Wired"
Allowed Protocol : Default Network Access
use identity source : AD1

Thank you for the quick replys , and now ok , I've configured the following authorization policy :
Rule Name : Nad Auth
Conditions
if: Any
AND : AD1:ExternalGroups EQUALS IT_Departments
Permissions , then PermitAccess
What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

Open Authentication for Wireless Access

Hello,
The standalone implementation of an existing wireless network is configured as Open Authentication with a TKIP Cipher. The client key management is set to WPA PSK.
What exacly is the authentication for? I see that MAC and EAP are available options. Would these options be used to block or authorize the actual wireless devices that connect to the AP?
The next thing I see is Client Authenticated Key management and I am using WPA PSK. What exactly happens once I enter thsi PSK from the client? Is it only used to encrypt the data?
Thanks,
Kevin

Hi Kevin,
Using WPA we can configure either Enterprise or pre shared key.. Enterprise comprises of EAP and pre shared key is just the PSK..
if we are using EAP then auth will be done by the RADIUS and the encryotion will still be TKIP.. now coming back to PSK, this is shared key which will authenticate the users locally...
EAP is more secured auth compared to PSK..
Now regarding the "auth open" line.. see there are 2 kinds of auth in 802.11.. here while using wireless we need to auth twice, dot11 authentication and followed by the psk or EAP auth.. the auth open statement will force us to get the dot11 auth successful and then we move towards needed auth like PSK or EAP.. and another is Shared auth is very similar to WEP using open auth!!
in the nut shel we have 3 kinds of auth..
1> open - Dot11 auth
2> Shared - Nothing but WEP
3> 802.1X suite - EAP
again, the below link may give you some insights as well!!
http://www.cisco.com/en/US/docs/wireless/access_point/12.2_13_JA/configuration/guide/s13auth.html#wp1035025
Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
Regards
Surendra

How to set up and test the Basic Authentication for HTTP protocol

Hi,
I tried configuring the password based Basic Authentication for sending xml document using ebMS - HTTP protocol. I set username and password while configuring the transport server for both trading partners. I want to know, is that sufficient for basic authenticaton. When I open the URI http://localhost:7778/b2b/transportServlet, it is not asking any authentication (username/password). Please note that I have not used SSL certificate. Anyone please help me out to configure Basic authentication.

Hi Ramesh,
Thanks for ur response. Could you please tell me where to set the Additional Transport header : authtype-basic#realm=myRealm(in which property file). In enqueue code, I could see the following attributes
queue
msgID
replyToMsgID
from
to
eventName
doctypeName
doctypeRevision
msgType
payload
attachment
subscriber
Is it possible to set username/password in the enqueue attributes?
Do i need to add username/password and Transport header in the input XML and defined that elements in xsd?

User Authentication for Internet access

Hi,
Is it possible to configure authentication for internal (LAN) users to Authenticate (local/RADIUS/LDAP) for any kind of internet access through the ISA550/570? (like cut-through authentication proxy in ASA.)
And Can the ISA550/570 act as a Web proxy?
Thanks in advance.

HI Sulu,
You can configure captive portal for internal LAN users to authenticate (local/Radius/LDAP) for internet
access through ISA500. (see attached screenshot)
ISA500 cannot act as a web proxy. what is your use case ?
Regards,
Wei

Need Authentication for SMTP Access

I have this Java program (SendMail.java) for sending email; however, my ISP requires authentication for SMTP server access, i.e. I receive a 550 Authentication Required error. Does anyone know how to go about coding authentication into a program like SendMail so that the userID and password can be sent back to the server?
* SendMail.java
* Created on July 13, 2005, 8:09 PM
* To change this template, choose Tools | Options and locate the template under
* the Source Creation and Management node. Right-click the template and choose
* Open. You can then make changes to the template in the Source Editor.
* @author Owner
// SendMail by Tony Swain.
// Send mail via SMTP
// To do Appletisize it.
import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.InputStreamReader;
import java.io.PrintStream;
import java.net.Socket;
import java.util.StringTokenizer;
import java.net.Authenticator;
import java.net.*;
// To do. Finish multiThreading &| write que Thread.
// this programs sends mail Via SMTP as defined in RFC 821.
// ftp://ftp.isi.edu/in-notes/rfc821.txt
public class SendMail
Object mailLock              = null; //In case we want a multi-threaded mailer
public String mailServerHost = "";
public String from           = "";
public String to             = "";
public String replyTo        = "";
public String subject        = "Java is Fun";
public String mailData       =
   "HyperSendMail";
public String errorMsg = "";
public Socket mailSendSock = null;
public BufferedReader inputStream = null;
public PrintStream outputStream    = null;
public String serverReply          = "";
SendMail()
   // Doesn't do anything but we need this for extension purposes.
// Server, from,to,subject, data
SendMail(String server,String tFrom,String tTo,String sub,String sendData)
   mailServerHost = server;
   mailLock=this; // Thread Monitor passed constructor later. Default this Monitor.
   from = tFrom;
   to   = tTo;
   if(sendData != null)
      mailData = sendData;
/* Just a note to remind myself to add this for cross app./Applet & Runnable.
   & Threadsafe readLine() I'm too lazy ATM
SendMail()
   if(mailLock != null)
      if(mailLock instanceof Applet)
         Applet app = (Applet)
public void send()
   if(!open())          //Yikes! get out of here.
      return;
   try
      outputStream.println("HELO sendMail");
      serverReply = inputStream.readLine();
   catch(Exception e0)
      e0.printStackTrace();
   try
      outputStream.println("MAIL FROM: "+from);
      serverReply = inputStream.readLine();
        // I cheat and don't look for the whole 550
        // we know 5 is an error anyway. Add it in if you want.
      if(serverReply.startsWith("5"))
         close("FROM: Server error :"+serverReply);
         return;
   // Note the switch here. we could get mail from somewhere and by
   // pre setting replyTo reply somewhere else :)
      if(replyTo == null)
         replyTo = from;
      outputStream.println("RCPT TO: <"+to+">");
       // Ya got me! I didn't look for any 250 OK messages. Add it in if you really want.
       // A real programmer will spend 30 hours writing self modifying code in order
       // to save 90 nano seconds ;) we assume if it did't give an error it must be OK.
      serverReply = inputStream.readLine();
      if(serverReply.startsWith("5"))
         close("Reply error:"+serverReply);
         return;
      outputStream.println("DATA");
      serverReply = inputStream.readLine();
      if(serverReply.startsWith("5"))
         close("DATA Server error : "+serverReply);
         return;
      outputStream.println("From: "+from);
      outputStream.println("To: "+to);
      if(subject != null)
         outputStream.println("Subject: "+subject);
      if(replyTo != null)
         outputStream.println("Reply-to: "+replyTo);
      outputStream.println("");
      outputStream.println(mailData);
      outputStream.print("\r\n.\r\n");
      outputStream.flush();
      serverReply = inputStream.readLine();
      if(serverReply.startsWith("5"))
         close("DATA finish server error: "+serverReply);
         return;
      outputStream.println("quit");
      serverReply = inputStream.readLine();
      if(serverReply.startsWith("5"))
         close("Server error on QUIT: "+serverReply);
         return;
      inputStream.close();
      outputStream.close();
      mailSendSock.close();
   catch(Exception any)
      any.printStackTrace();
      close("send() Exception");
   close("Mail sent");
public boolean open()
   synchronized(mailLock)
      try
         mailSendSock = new Socket(mailServerHost, 25);
         outputStream = new PrintStream(mailSendSock.getOutputStream());
         inputStream = new BufferedReader(new InputStreamReader(
          mailSendSock.getInputStream()));
         serverReply = inputStream.readLine();
         if(serverReply.startsWith("4"))
            errorMsg = "Server refused the connect message : "+serverReply;
            return false;
      catch(Exception openError)
         openError.printStackTrace();
         close("Mail Socket Error");
         return false;
      System.out.println("Connected to "+mailServerHost);
      return true;
public void close(String msg)
          //try to close the sockets
   System.out.println("Close("+msg+")");
   try
      outputStream.println("quit");
      inputStream.close();
      outputStream.close();
      mailSendSock.close();
   catch(Exception e)
      System.out.println("Close() Exception");
     // We are closing so see ya later anyway
public static void main(String Args[])
SendMail sm = new
// * NOTE:
// Erase these values right away! Just to show you how it is done.
// Whatever you do don' release it with my mail server hardcoded.
// last thing I need is 10 million Java mail test spams :)
SendMail(
          "outgoing.myISP.net",         //Mail Server
          "[email protected]",       // sender
          "[email protected]",       // Recipient
          "Java mail test",               // Subject
          "test test test!");             // Message Data
          sm.send();                      // Send it!
}

There is no one in the forum who can shed some light on my problem?

Smartcard authentication for Clean Access SSO

Is anyone doing smartcard authentication into clean access via SSO? I have an issue where the UPN is not the username and the domain suffix is different from the AD domain so the agent is appending @domain.com to the $user$ variable and so it is failing to authenticate.

Did you run KTPASS correctly?
I had the same problem, (very undocumented 'feature', I would say) the KTPASS command must be run slightly different when running against a DC, versus running it against a AD Domain.
For Domain Authentication:
ktpass.exe -princ cleanaccess/domain_in_lower_case.co.za@DOMAIN_IN_UPPER_CASE.CO.ZA -mapuser cleanaccess -pass mypassword -out c:\cleanaccess.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
For AD Server Authentication:
ktpass.exe -princ cleanaccess/SERVERNAME.domain_in_lower_case.co.za@DOMAIN_IN_UPPER_CASE.CO.ZA -mapuser cleanaccess -pass mypassword -out c:\cleanaccess.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
NOTE: SERVERNAME need to be exactly as indicated under My Computer > Properties. (ie, correct UPPERCASE and lowercase letters in the right places)
Another thing to look out for is the cleanaccess AD account you have created, make sure that the display name matches the account name, and do not specify anything for the Firstname, Lastname fields. This seems to break things ans gets the authentication to fail for some reason.
O, and if you have set up the account at first for DC Server Authentication, delete it and recreate it for the AD Domain Authentication, because that breaks it too, when you run the KTPASS.EXE again.
Another thing, try using ADSSO without the lookup account configured to see that the machine authenticates first, then ad the Lookup Account, maybe the problem lies there.
Hope this helps.

Reg Re-authentication for Tcode access

Dear All,
    I want to enable Re-authentication for certain tcode access in my SAP ABAP system. The SAP as such supports this with the SSF settings. I have the SSF working but am not sure how to enable the particular tcode for Re-authentication.For example i have created a z code zAl08 out of Al08 for test purpose.When an user tries to access zAL08 he should be asked to give his credentials for authentication and then should be able to access the tcode.
1.Is this possible. (am already using a Security product working properly in my environment)
2.How to configure(Steps) the zcode for enabling Re-authentication?
Regards,
Karthik

Basically, what I said was:
function auth_check_tcode.
""Lokale Schnittstelle:
*" IMPORTING
*"     VALUE(TCODE) LIKE TSTC-TCODE
*" EXCEPTIONS
*"      PARAMETER_ERROR
*"      TRANSACTION_NOT_FOUND
*"      TRANSACTION_LOCKED
*"      TRANSACTION_IS_MENU
*"      MENU_VIA_PARAMETER_TRANSACTION
*"      NOT_AUTHORIZED
Dieser Funktionsbaustein dient als reine Kapsel für den C-Call
auth_check_tcode und ist daher im Gegensatz zu authority_check_tcode
nicht für die Prüfung vor dem Call Transaction gedacht, sondern für
die Fälle, in denen ein Start Transaction geprüft werden soll,
z.B. in der SE93.
authority_check_tcode berücksichtigt wie der Kernel die per SE97
pflegbaren Einträge in der Tabelle tcdcouples.
Berechtigungsprüfung
call 'AUTH_CHECK_TCODE'
       id 'TCODE' field tcode.
if sy-subrc = 0.
auth_check_tcode enthält die Prüfungen von tcode_executable,
daher im OK-Fall keine Aufruf nötig.
else.
    perform tcode_executable using tcode.
Keine Berechtigung für Transaktion &
    message i077(s#) with tcode raising not_authorized.
endif.
endfunction.
      FORM tcode_executable                                         *
--> TCODE                                                         *
form tcode_executable using tcode.
call 'DY_CHECK_TRANSACTION'
    id 'TX' field tcode.
case sy-subrc.
    when 0.         " Alles ok, return
    when 1.         " Parameter Error
      message i274(00) raising parameter_error.
    when 2.         " Transaktion nicht gefunden
      message i343(s#) with tcode raising transaction_not_found.
    when 3.         " Transaktion gesperrt
      message i348(s#) with tcode raising transaction_locked.
    when 4.         " Transaktion ist Bereichsmenü
      message i037(oz) with tcode raising transaction_is_menu.
    when 5.         " Bereichsmenü via Parameter-Transaktion
      message i350(s#) with tcode
                       raising menu_via_parameter_transaction.
    when 6.   " Nicht berechtigt; vorgesehen, aber nicht implementiert
      message i077(s#) with tcode raising not_authorized.
endcase.
endform.                    "tcode_executable
</pre>
Sorry, the comments are in German. But as you can see, there is no exit and the checks are in the kernel only.
My hat is safe...
Cheers,
Julius
Edited by: Julius Bussche on Jul 29, 2009 5:55 PM

Cisco Nexus AAA authentication and console access

We have nexus 7k with AAA authentication working now i have an issue i can't login using console port because my logins are rejected.Is there anyway we can login into console with local login details or we have to use ACS server (AAA) logins when connected to console (while ACS server is still reachable).
My main question is i want to login using console port while ACS server is still reachable is it possible?

Perhaps I am not understanding some parts of the original post and if so I would appreciate clarification of what I missed. But it seems to me that the main question in the original post is whether the original poster would be able to login on the console. And it seems to me that the high level answer is that yes login to the console should be possible. The details of how that would work are dependent on details of how the N7K is configured. If the original poster would provide some details of the configuration (especially all of the aaa authentication commands and the configuration of line con 0) we would be in a much better position to provide helpful answers.
HTH
Rick

ACS/ASA authentication for vpn access vs. console management access

I have an ACS 4.2 Server and an ASA 5540. I have setup AnyConnect SSL VPN on the ASA and want to authenticate users using AAA tacacs+ authentication with the ACS and an external Windows AD database. I have done this successfully. I also want to use the ACS for authenticating SSH management sessions into the ASA. I have setup a group in AD and on the ACS called VPNUSERS and NETADMINS. The problem is, I want the VPN users to ONLY be able to authenticate for VPN but not have access to logging into the ASA CLI or ASDM. The NETADMINS should be able to do both. The question I have is how do I setup the VPNUSER group in ACS to have access to connect to the ASA for VPN but not for the management console? It seems that if they can authenticate for vpn, they can also ssh the firewall which is what I want to prevent.

Try using Network Access Restrictions (NAR)where you can restrict the administrative access on per device or on NDG basis.
By default user accounts from external database such as AD in ACS will get authenticated through telnet on network device or a AAA client which can be restricted by enabling NAR in ACS.
In your case it should be VPNUSERS group in ACS.
HTH
Ahmed

Aaa authentication for https access

Similar Messages

Maybe you are looking for