I am trying to make some catalyst switches talk to the Radius server available in MS Windows 2003; called the Internet Authentication Service (IAS).
At the command line login to the switch it works perfectly. Via http to the switch, I get from the IOS debugging, "Authorization Rejected"
Switch is a 2950 model running ios 12.1 (19) EA1c. The config is
aaa new-model aaa authentication login myAuthListName group radius local
ip radius source-interface Vlan1 radius-server host 192.168.61.158 auth-port 1645 acct-port 1646 key mysecret line vty 0 15 login authentication myAuthListName authorization exec myAuthListName
ip http authentication aaa
in this article
notes the differing config for versions of the subsystem http server. I have verified that the IOS is running version 1.000.001 which the document states uses the line config as the basis for finding the auth source for http auth.
Again, from that article I use the following debugging:
debug ip tcp transactions debug modem debug ip http authentication debug aaa authentication debug aaa authorization debug radius
All that is reported is that everything succeeds talking to the radius server and so on until the messages "HTTP Authentication failed", "HTTP Authorization Rejected". I cannot make the debugging any more verbose in this respect.
I have tried removing the "authorization exec ..." from the lline config.
I have tried the auth with 4 browsers on two platforms: IE 6, curent firefox (WinXP), current Safari, current Firefox (Mac OS X). Behaviour is the same in all cases. There is no proxy in the path from browser to switch.
I am wondering whether the connection requirements section of the IAS server (Membership of a Windows group), or the Service-Type attribute (6 - "login") is relevant and needs an addition or change. Though as I say the command line version works fine.
I would be very grateful for any assistance.