ip http authentication local

did you enable aaa ?

aaa new-model aaa authentication login default local aaa authorization exec default local username cisco secret cisco ip http server ip http authentication local

post show version and config

Which device, which software release?

I have to enable aaa? I am using local users. Shown below is the config. Its a layer 2 network. It the config below sufficient? please comment

Thanks

#sh ver Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I9S-M), Version 12.2(25)EWA6, RELEASE SOFTWARE (fc1) Technical Support:

(c) 1986-2006 by Cisco Systems, Inc. Compiled Fri 02-Jun-06 15:20 by ssearch Image text-base: 0x10000000, data-base: 0x114ED458

ROM: 12.2(20r)EW1 Dagobah Revision 226, Swamp Revision 34

edu-barnum-c4506 uptime is 1 day, 54 minutes System returned to ROM by reload System restarted at 10:29:39 UTC Thu Sep 7 2006 System image file is "bootflash:"

cisco WS-C4506 (MPC8245) processor (revision 10) with 262144K bytes of memory. Processor board ID FOX1021013E MPC8245 CPU at 266Mhz, Supervisor II+ Last reset from Reload

1 Virtual Ethernet interface 146 Gigabit Ethernet interfaces 511K bytes of non-volatile configuration memory.

Configuration register is 0x2101

-------------------------------------------------------------------------------------------- #sh config Using 1767 out of 524280 bytes, uncompressed size = 5796 bytes Uncompressed configuration from 1767 bytes to 5796 bytes ! ! Last configuration change at 10:21:53 UTC Fri Sep 8 2006 ! NVRAM config last updated at 10:22:27 UTC Fri Sep 8 2006 ! version 12.2 no service pad service timestamps debug uptime service timestamps log datetime service password-encryption service compress-config service sequence-numbers ! hostname c4506 ! boot-start-marker boot-end-marker ! enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx ! username admin secret 5 xxxxxxxxxxxxxxxxxxx ! no aaa new-model clock timezone UTC -8 clock summer-time UTC recurring vtp domain '' vtp mode transparent ip subnet-zero ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id power redundancy-mode redundant ! ! ! vlan internal allocation policy ascending ! interface GigabitEthernet1/1 ! interface GigabitEthernet1/2 ! interface GigabitEthernet2/1 . . . . . interface GigabitEthernet4/47 ! interface GigabitEthernet4/48 ! interface Vlan1 ip address dhcp ! ip http server ip http access-class 1 ! ! access-list 1 permit x.x.x.x ! ! ! line con 0 password 7 0020180C544C240C04 login stopbits 1 line vty 0 1 access-class 1 in password 7 15011E1F017B7977 login local line vty 2 4 no login ! ntp clock-period 17179383 ntp server x.x.x.x key 0 prefer ntp server y.y.y.y key 0 ntp server z.z.z.z key 0 ! end

you MUST enable aaa

see

The only problem with this is the user I am using gets privilege 15 on both telnet and http. not just http.

try username privilege secret

What is the end goal that your are trying to achieve ?

I dont want anyuser with the ability to be able to telnet and get privilege

1. at the same time I want users be able to authenticate to get http access any user that telnet in should only get privilege 1. enable password to get to 15.

does it make sense?

What difference does it make if they also have privilege level 15 on telnet if they have it on http? The http interface allows you to run any command.

BernieM

no need for aaa when using local: "ip http authentication local"

-Brian

Then I would configure each username with provilege level 1 in the username command

Is it possible to limit or prevent which user can run enable command?

yes, don't give the enable password to people you don't want going to enable mode.

You may wish to check out CLI role-based views

see