topic Re: ISW Radius over Http/https in ExtremeWireless (General)

ISW Radius over Http/https

Technolust — Fri, 19 Oct 2018 01:49:00 GMT

Community,

I configured the switch for Radius over ssh and telnet. However, when I setup the switch for to use radius over http/https I get the following error:

Insufficient Privilege Level

The web page is non-accessible. Please use the valid privilege level.

The ssh and telnet work fine but not sure how to configure the privilege level for http/https use since my user account is already priv 15.

Thanks,

-Joe

Re: ISW Radius over Http/https

roxanne — Mon, 22 Oct 2018 15:25:00 GMT

Hi Joe,

Cisco IOS Software with the HTTP V1.1 ServerIn releases of Cisco IOS Software with the HTTP V1.1 server, the HTTP sessions do not use vtys. They use sockets.

HTTP V1.1 Server - Before Cisco Bug ID CSCeb82510Before the integration of Cisco bug ID CSCeb82510 (registered customers only) in Cisco IOS Software Releases 12.3(7.3) and 12.3(7.3)T, the HTTP V1.1 server has to use the same authentication and authorization method that is configured for the console.

ip http server ! aaa new-model aaa authentication login CONSOLEandHTTP radius local aaa authorization exec CONSOLEandHTTP radius local ! ip http authentication aaa ! line con 0 login authentication CONSOLEandHTTP authorization exec CONSOLEandHTTP

HTTP V1.1 Server - After Cisco Bug ID CSCeb82510With the integration of Cisco bug ID CSCeb82510 (registered customers only) in Cisco IOS Software Releases 12.3(7.3) and 12.3(7.3)T, the HTTP server can use independent authentication and authorization methods of its own, with new keywords in the ip http authentication aaa command. The new keywords are:

router(config)#ip http authentication aaa command-authorization listname router(config)#ip http authentication aaa exec-authorization listname router(config)#ip http authentication aaa login-authentication listname

This is example output:

ip http server ! aaa new-model aaa authentication login HTTPonly radius local aaa authorization exec HTTPonly radius local ! ip http authentication aaa ip http authentication aaa exec-authorization HTTPonly ip http authentication aaa login-authentication HTTPonly

DebugIssue these debug commands in order to troubleshoot problems with HTTP authentication/authorization:

debug ip tcp transactions debug modem !--- If you use the HTTP 1.0 server. debug ip http authentication debug aaa authentication debug aaa authorization

debug radius

Re: ISW Radius over Http/https

Technolust — Mon, 22 Oct 2018 18:03:00 GMT

Thanks Roxanne, I'm not sure if this will fix the issue on the Extreme switch though. Unless you are referring to configuring the uplink switch for this. I do have the extreme switch connected to a CISCO 2960.

-Joe

Re: ISW Radius over Http/https

Hans_Gudmund_Th — Thu, 30 Jul 2020 19:13:00 GMT

Hi Joe,

I am currently trying to configure radius (using freeradius) for some ISW switches but without success. I have been searching around and found this post. Out of curiosity; what attribute and value did you use to get privilege level whit ssh-login? I have tried priv-lvl = 15 but this doesn’t seem to work, and so far I have only been able to get read-access.

Best regards,

Hans Gudmund

Re: ISW Radius over Http/https

Hans_Gudmund_Th — Thu, 24 Sep 2020 15:23:43 GMT

Just an update; Radius now working using attribute / value Cisco-AVPair=shell:priv-lvl=15.

/Hans Gudmund