cancel
Showing results for 
Search instead for 
Did you mean: 

ISW Radius over Http/https

ISW Radius over Http/https

Technolust
New Contributor
Community,

I configured the switch for Radius over ssh and telnet. However, when I setup the switch for to use radius over http/https I get the following error:

Insufficient Privilege Level

The web page is non-accessible. Please use the valid privilege level.

The ssh and telnet work fine but not sure how to configure the privilege level for http/https use since my user account is already priv 15.

Thanks,

-Joe
4 REPLIES 4

Hans_Gudmund_Th
New Contributor

Just an update; Radius now working using attribute / value Cisco-AVPair=shell:priv-lvl=15.

 

/Hans Gudmund

Hans_Gudmund_Th
New Contributor

Hi Joe,

 

I am currently trying to configure radius (using freeradius) for some ISW switches but without success. I have been searching around and found this post. Out of curiosity; what attribute and value did you use to get privilege level whit ssh-login? I have tried priv-lvl = 15 but this doesn’t seem to work, and so far I have only been able to get read-access.

 

Best regards,

Hans Gudmund

Technolust
New Contributor
Thanks Roxanne, I'm not sure if this will fix the issue on the Extreme switch though. Unless you are referring to configuring the uplink switch for this. I do have the extreme switch connected to a CISCO 2960.

-Joe

roxanne
New Contributor
Hi Joe,

Cisco IOS Software with the HTTP V1.1 ServerIn releases of Cisco IOS Software with the HTTP V1.1 server, the HTTP sessions do not use vtys. They use sockets.

HTTP V1.1 Server - Before Cisco Bug ID CSCeb82510Before the integration of Cisco bug ID CSCeb82510 (registered customers only) in Cisco IOS Software Releases 12.3(7.3) and 12.3(7.3)T, the HTTP V1.1 server has to use the same authentication and authorization method that is configured for the console.

ip http server ! aaa new-model aaa authentication login CONSOLEandHTTP radius local aaa authorization exec CONSOLEandHTTP radius local ! ip http authentication aaa ! line con 0 login authentication CONSOLEandHTTP authorization exec CONSOLEandHTTP
HTTP V1.1 Server - After Cisco Bug ID CSCeb82510With the integration of Cisco bug ID CSCeb82510 (registered customers only) in Cisco IOS Software Releases 12.3(7.3) and 12.3(7.3)T, the HTTP server can use independent authentication and authorization methods of its own, with new keywords in the ip http authentication aaa command. The new keywords are:

router(config)#ip http authentication aaa command-authorization listname router(config)#ip http authentication aaa exec-authorization listname router(config)#ip http authentication aaa login-authentication listname
This is example output:

ip http server ! aaa new-model aaa authentication login HTTPonly radius local aaa authorization exec HTTPonly radius local ! ip http authentication aaa ip http authentication aaa exec-authorization HTTPonly ip http authentication aaa login-authentication HTTPonly
DebugIssue these debug commands in order to troubleshoot problems with HTTP authentication/authorization:

debug ip tcp transactions debug modem !--- If you use the HTTP 1.0 server. debug ip http authentication debug aaa authentication debug aaa authorization
debug radius

GTM-P2G8KFN