http authentication against radius

hello

I am trying to make some catalyst switches talk to the Radius server available in MS Windows 2003; called the Internet Authentication Service (IAS).

At the command line login to the switch it works perfectly. Via http to the switch, I get from the IOS debugging, "Authorization Rejected"

Switch is a 2950 model running ios 12.1 (19) EA1c. The config is

aaa new-model aaa authentication login myAuthListName group radius local

ip radius source-interface Vlan1 radius-server host 192.168.61.158 auth-port 1645 acct-port 1646 key mysecret line vty 0 15 login authentication myAuthListName authorization exec myAuthListName

ip http authentication aaa

in this article

formatting link

notes the differing config for versions of the subsystem http server. I have verified that the IOS is running version 1.000.001 which the document states uses the line config as the basis for finding the auth source for http auth.

Again, from that article I use the following debugging:

debug ip tcp transactions debug modem debug ip http authentication debug aaa authentication debug aaa authorization debug radius

All that is reported is that everything succeeds talking to the radius server and so on until the messages "HTTP Authentication failed", "HTTP Authorization Rejected". I cannot make the debugging any more verbose in this respect.

I have tried removing the "authorization exec ..." from the lline config.

I have tried the auth with 4 browsers on two platforms: IE 6, curent firefox (WinXP), current Safari, current Firefox (Mac OS X). Behaviour is the same in all cases. There is no proxy in the path from browser to switch.

I am wondering whether the connection requirements section of the IAS server (Membership of a Windows group), or the Service-Type attribute (6 - "login") is relevant and needs an addition or change. Though as I say the command line version works fine.

I would be very grateful for any assistance.

thank you.

rolf.

Reply to
r.l.
Loading thread data ...

Do not know the cause of your current issue.

Just wanted to mention that it looks like Cisco has yanked support for the image you are using.

It looks like the latest image is 12.1(22)EA10a

Reply to
Merv

Authentication is working fine, authorization is failing. Get rid of the command "authorization exec myAuthListName" from the vty configuration.

formatting link
it

Reply to
Thrill5

hello

I have removed that line from the vty config and it makes no difference.

r.

Reply to
r.l.

Get some debugs from your attempt to access the HTTP server when using IAS RADIUS for authentication/authorization:

debug ip tcp transactions debug modem debug ip http authentication debug aaa authentication debug aaa authorization debug radius

Aaron

Reply to
Aaron Leonard

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.