I tried to login via web interface using a local user define but cannot log in. I can however telnet in with that username though.
why can I not login with the username I created via http?
I tried to login via web interface using a local user define but cannot log in. I can however telnet in with that username though.
why can I not login with the username I created via http?
did you enable aaa ?
aaa new-model aaa authentication login default local aaa authorization exec default local username cisco secret cisco ip http server ip http authentication local
post show version and config
Which device, which software release?
I have to enable aaa? I am using local users. Shown below is the config. Its a layer 2 network. It the config below sufficient? please comment
Thanks
#sh ver Cisco IOS Software, Catalyst 4000 L3 Switch Software (cat4000-I9S-M), Version 12.2(25)EWA6, RELEASE SOFTWARE (fc1) Technical Support:
ROM: 12.2(20r)EW1 Dagobah Revision 226, Swamp Revision 34
edu-barnum-c4506 uptime is 1 day, 54 minutes System returned to ROM by reload System restarted at 10:29:39 UTC Thu Sep 7 2006 System image file is "bootflash:"
cisco WS-C4506 (MPC8245) processor (revision 10) with 262144K bytes of memory. Processor board ID FOX1021013E MPC8245 CPU at 266Mhz, Supervisor II+ Last reset from Reload
1 Virtual Ethernet interface 146 Gigabit Ethernet interfaces 511K bytes of non-volatile configuration memory.Configuration register is 0x2101
-------------------------------------------------------------------------------------------- #sh config Using 1767 out of 524280 bytes, uncompressed size = 5796 bytes Uncompressed configuration from 1767 bytes to 5796 bytes ! ! Last configuration change at 10:21:53 UTC Fri Sep 8 2006 ! NVRAM config last updated at 10:22:27 UTC Fri Sep 8 2006 ! version 12.2 no service pad service timestamps debug uptime service timestamps log datetime service password-encryption service compress-config service sequence-numbers ! hostname c4506 ! boot-start-marker boot-end-marker ! enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx ! username admin secret 5 xxxxxxxxxxxxxxxxxxx ! no aaa new-model clock timezone UTC -8 clock summer-time UTC recurring vtp domain '' vtp mode transparent ip subnet-zero ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id power redundancy-mode redundant ! ! ! vlan internal allocation policy ascending ! interface GigabitEthernet1/1 ! interface GigabitEthernet1/2 ! interface GigabitEthernet2/1 . . . . . interface GigabitEthernet4/47 ! interface GigabitEthernet4/48 ! interface Vlan1 ip address dhcp ! ip http server ip http access-class 1 ! ! access-list 1 permit x.x.x.x ! ! ! line con 0 password 7 0020180C544C240C04 login stopbits 1 line vty 0 1 access-class 1 in password 7 15011E1F017B7977 login local line vty 2 4 no login ! ntp clock-period 17179383 ntp server x.x.x.x key 0 prefer ntp server y.y.y.y key 0 ntp server z.z.z.z key 0 ! end
you MUST enable aaa
see
The only problem with this is the user I am using gets privilege 15 on both telnet and http. not just http.
try username privilege secret
What is the end goal that your are trying to achieve ?
I dont want anyuser with the ability to be able to telnet and get privilege
does it make sense?
What difference does it make if they also have privilege level 15 on telnet if they have it on http? The http interface allows you to run any command.
BernieM
no need for aaa when using local: "ip http authentication local"
-Brian
Then I would configure each username with provilege level 1 in the username command
Is it possible to limit or prevent which user can run enable command?
yes, don't give the enable password to people you don't want going to enable mode.
You may wish to check out CLI role-based views
see
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.