URL: https://www.opennet.ru/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 16814
[ Назад ]

Исходное сообщение
"AAA Control of the IOS HTTP Server"
Отправлено Protector , 29-Июл-08 15:55

Привет, all!
Никак не могу прикрутить aaa для доступа к циске по http
никак пускать не хочет.
делал как написано здесь
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note0...
>sh ver
Cisco IOS Software, 3800 Software (C3845-ADVENTERPRISEK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 18-Jul-07 11:59 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Cisco-3845-RUP uptime is 16 weeks, 6 days, 1 hour, 40 minutes
System returned to ROM by reload at 13:09:39 EDT Wed Apr 2 2008
System restarted at 13:11:15 EDT Wed Apr 2 2008
System image file is "flash:c3845-adventerprisek9-mz.124-15.t1.bin"
___________________________________________________________________________
вот  что в конфиге
aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication login CONSOLEandHTTP group radius local
aaa authorization console
aaa authorization exec CONSOLEandHTTP group radius local
ip http server
ip http authentication aaa login-authentication CONSOLEandHTTP
ip http authentication aaa exec-authorization CONSOLEandHTTP
ip http authentication aaa command-authorization 15 CONSOLEandHTTP
line con 0
authorization exec CONSOLEandHTTP
login authentication CONSOLEandHTTP
stopbits 1

вот что в дебаге пишет

Jul 29 11:40:39.205: HTTP AAA Login-Authentication List name: CONSOLEandHTTP
Jul 29 11:40:39.205: HTTP AAA Exec-Authorization List name: CONSOLEandHTTP
Jul 29 11:40:39.205: AAA/BIND(000001AB): Bind i/f
Jul 29 11:40:39.205: AAA/AUTHEN/LOGIN (000001AB): Pick method list 'CONSOLEandHTTP'
Jul 29 11:40:39.205: RADIUS/ENCODE(000001AB):Orig. component type = HTTP
Jul 29 11:40:39.205: RADIUS/ENCODE(000001AB): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
Jul 29 11:40:39.205: RADIUS(000001AB): Config NAS IP: 0.0.0.0
Jul 29 11:40:39.205: RADIUS/ENCODE(000001AB): acct_session_id: 184
Jul 29 11:40:39.205: RADIUS(000001AB): sending
Jul 29 11:40:39.205: RADIUS/ENCODE: Best Local IP-Address X.X.X.41 for Radius-Server 10.179.0.16
Jul 29 11:40:39.205: RADIUS(000001AB): Send Access-Request to X.X.X.16:1645 id 1645/64, len 70
Jul 29 11:40:39.205: RADIUS:  authenticator 3D B7 68 CE 94 4B 23 A3 - DD 2D F7 90 AC 6A 96 B1
Jul 29 11:40:39.205: RADIUS:  User-Name           [1]   7   "admin"
Jul 29 11:40:39.205: RADIUS:  User-Password       [2]   18  *
Jul 29 11:40:39.205: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
Jul 29 11:40:39.205: RADIUS:  Calling-Station-Id  [31]  13  "X.X.X.19"
Jul 29 11:40:39.205: RADIUS:  NAS-IP-Address      [4]   6   X.X.X.41
Jul 29 11:40:39.229: RADIUS: Received from id 1645/64 X.X.X.16:1645, Access-Accept, len 53
Jul 29 11:40:39.229: RADIUS:  authenticator 93 86 4E 8C 80 65 A6 DB - 3F 11 4C 65 A0 A7 80 42
Jul 29 11:40:39.229: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255
Jul 29 11:40:39.229: RADIUS:  Class               [25]  27
Jul 29 11:40:39.229: RADIUS:   43 41 43 53 3A 30 2F 32 37 37 37 2F 61 39 33 31  [CACS:0/2777/a931]
Jul 29 11:40:39.229: RADIUS:   38 32 39 2F 61 64 6D 69 6E                       [829/admin]
Jul 29 11:40:39.229: RADIUS(000001AB): Received from id 1645/64
Jul 29 11:40:39.229: HTTP: Authentication failed for level 15

Содержание

AAA Control of the IOS HTTP Server,Protector, 15:23 , 30-Июл-08
AAA Control of the IOS HTTP Server,Mishik, 07:52 , 03-Ноя-10
- AAA Control of the IOS HTTP Server,Protector, 09:11 , 03-Ноя-10
  - AAA Control of the IOS HTTP Server,deepjohnsea, 20:28 , 04-Мрт-11
    - AAA Control of the IOS HTTP Server,deepjohnsea, 20:30 , 04-Мрт-11
      - AAA Control of the IOS HTTP Server,Kosto, 12:51 , 03-Май-11

Сообщения в этом обсуждении

"AAA Control of the IOS HTTP Server"
Отправлено Protector , 30-Июл-08 15:23

еще отмечу, что сервер RADIUS в логах пишет Authen OK

"AAA Control of the IOS HTTP Server"
Отправлено Mishik , 03-Ноя-10 07:52

Проблема похожая, можить кто поможет?

"AAA Control of the IOS HTTP Server"
Отправлено Protector , 03-Ноя-10 09:11

> Проблема похожая, можить кто поможет?
я бросил с этим возиться. думаю надо иос обновлять

"AAA Control of the IOS HTTP Server"
Отправлено deepjohnsea , 04-Мрт-11 20:28

>> Проблема похожая, можить кто поможет?
> я бросил с этим возиться. думаю надо иос обновлять
Проблема та-же. Но чуствую не в ИОС дело. Кто может помочь?

"AAA Control of the IOS HTTP Server"
Отправлено deepjohnsea , 04-Мрт-11 20:30

>>> Проблема похожая, можить кто поможет?
>> я бросил с этим возиться. думаю надо иос обновлять
> Проблема та-же. Но чуствую не в ИОС дело. Кто может помочь?
вот мой лог
040513: Mar  4 14:41:42: HTTP AAA picking up console Login-Authentication List name: default
040514: Mar  4 14:41:42: HTTP AAA picking up console Exec-Authorization List name: default
040515: Mar  4 14:41:42: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
040516: Mar  4 14:41:42: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
040517: Mar  4 14:41:42: RADIUS(00000000): Config NAS IP: 0.0.0.0
040518: Mar  4 14:41:42: RADIUS(00000000): sending
040519: Mar  4 14:41:42: RADIUS/ENCODE: Best Local IP-Address 10.15.0.250 for Radius-Server 10.15.32.22
040520: Mar  4 14:41:42: RADIUS(00000000): Send Access-Request to 10.15.32.22:1812 id 1645/45, len 55
040521: Mar  4 14:41:42: RADIUS:  authenticator C1 92 DA 1D 88 0C B1 B8 - EA F7 CA 44 11 21 2A 5B
040522: Mar  4 14:41:42: RADIUS:  User-Name           [1]   11  "easergeev"
040523: Mar  4 14:41:42: RADIUS:  User-Password       [2]   18  *
040524: Mar  4 14:41:42: RADIUS:  NAS-IP-Address      [4]   6   10.15.0.250
040525: Mar  4 14:41:42: RADIUS: Received from id 1645/45 10.15.32.22:1812, Access-Accept, len 121
040526: Mar  4 14:41:42: RADIUS:  authenticator 3B 4F 62 62 F1 D0 E4 9E - D7 FF 26 28 16 23 32 C0
040527: Mar  4 14:41:42: RADIUS:  Service-Type        [6]   6   Login                     [1]
040528: Mar  4 14:41:42: RADIUS:  Class               [25]  46
040529: Mar  4 14:41:42: RADIUS:   42 80 04 D8 00 00 01 37 00 01 02 00 0A 0F 20 16  [B??????7?????? ?]
040530: Mar  4 14:41:42: RADIUS:   00 00 00 00 00 00 00 00 00 00 00 00 01 CB D9 BA  [????????????????]
040531: Mar  4 14:41:42: RADIUS:   70 B3 13 1B 00 00 00 00 00 00 05 98              [p???????????]
040532: Mar  4 14:41:42: RADIUS:  Vendor, Cisco       [26]  25
040533: Mar  4 14:41:42: RADIUS:   Cisco AVpair       [1]   19  "shell:priv-lvl=15"
040534: Mar  4 14:41:42: RADIUS:  Vendor, Microsoft   [26]  12
040535: Mar  4 14:41:42: RADIUS:   MS-Link-Util-Thresh[14]  6
040536: Mar  4 14:41:42: RADIUS:   00 00 00 32                                      [???2]
040537: Mar  4 14:41:42: RADIUS:  Vendor, Microsoft   [26]  12
040538: Mar  4 14:41:42: RADIUS:   MS-Link-Drop-Time-L[15]  6
040539: Mar  4 14:41:42: RADIUS:   00 00 00 78                                      [???x]
040540: Mar  4 14:41:42: RADIUS(00000000): Received from id 1645/45
040541: Mar  4 14:41:42: RADIUS(00000000): Unique id not in use
040542: Mar  4 14:41:42: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored
040543: Mar  4 14:41:42: AAA/AUTHOR (0x0): Pick method list 'default'
040544: Mar  4 14:41:42: RADIUS(00000000): Config NAS IP: 0.0.0.0
040545: Mar  4 14:41:42: RADIUS(00000000): sending
040546: Mar  4 14:41:42: RADIUS/ENCODE: Best Local IP-Address 10.15.0.250 for Radius-Server 10.15.32.22
040547: Mar  4 14:41:42: RADIUS(00000000): Send Access-Request to 10.15.32.22:1812 id 1645/46, len 61
040548: Mar  4 14:41:42: RADIUS:  authenticator AA C0 D9 4F B2 15 1E 8B - 7F A5 45 C8 81 4C 58 17
040549: Mar  4 14:41:42: RADIUS:  User-Name           [1]   11  "easergeev"
040550: Mar  4 14:41:42: RADIUS:  User-Password       [2]   18  *
040551: Mar  4 14:41:42: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
040552: Mar  4 14:41:42: RADIUS:  NAS-IP-Address      [4]   6   10.15.0.250
040553: Mar  4 14:41:42: RADIUS: Received from id 1645/46 10.15.32.22:1812, Access-Reject, len 20
040554: Mar  4 14:41:42: RADIUS:  authenticator 57 1F 6C D4 B3 04 27 27 - 64 8E 49 29 50 CB 1A 1F
040555: Mar  4 14:41:42: RADIUS(00000000): Received from id 1645/46
040556: Mar  4 14:41:42: HTTP: Authentication failed for level 15

"AAA Control of the IOS HTTP Server"
Отправлено Kosto , 03-Май-11 12:51

Может не прописана авторизация?
Тогда требуется указать в настройках сервера, что пользователю предоставляется доступ к shell и priv-lvl=15 (или какой там нужен). Соответственно на маршрутизаторе - aaa authorization exec default ...