AAA-controle van de IOS HTTP-server
Inhoud
Inleiding
Dit document toont hoe u de toegang tot de Cisco IOS® HTTP server kunt controleren met Verificatie, autorisatie en accounting (AAA). De controle van de toegang tot de Cisco IOS HTTP server met AAA varieert op basis van de Cisco IOS-softwarerelease.
Voorwaarden
Vereisten
Er zijn geen specifieke vereisten van toepassing op dit document.
Gebruikte componenten
Dit document is niet beperkt tot specifieke software- en hardware-versies.
Conventies
Bepaal welke HTTP Server-versie u heeft
Geef de exec opdracht uit toon subsys naam http om te zien welke versie van de HTTP server u heeft.
router1#show subsys name http
Class Version
http Protocol 1.001.001
Dit is een systeem met de HTTP V1.1 server. Cisco IOS-softwarerelease 12.2(15)T en alle Cisco IOS-softwarerelease 12.3 releases hebben HTTP V1.1.
router2#show subsys name http
Class Version
http Protocol 1.000.001
Dit is een systeem met de HTTP V1 server. Cisco IOS-softwarereleases 12.2(15)T (inclusief Cisco IOS-softwarereleases 12.2(15)JA en 12.2(15)XR) hebben HTTP V1.
Cisco IOS-software met de HTTP V1-server
In releases van Cisco IOS-software die de HTTP V1-server bevat, gebruiken HTTP-sessies virtuele eindlijnen (vtys). Daarom worden HTTP-verificatie en -autorisatie gecontroleerd met dezelfde methoden die voor de vT's zijn ingesteld.
ip http server ! aaa new-model aaa authentication login VTYSandHTTP radius local aaa authorization exec VTYSandHTTP radius local ! ip http authentication aaa ! line vty 0 19 !--- The number of vtys you have. login authentication VTYSandHTTP authorization exec VTYSandHTTP
Cisco IOS-software met de HTTP V1.1-server
In releases van Cisco IOS-software met de HTTP V1.1-server gebruiken de HTTP-sessies geen VTS. Ze gebruiken sokjes.
HTTP V1.1-server - voor Cisco plug-in CSCeb82510
Vóór de integratie van Cisco bug ID CSCeb82510 (alleen geregistreerde klanten) in Cisco IOS-softwarereleases 12.3(7.3) en 12.3(7.3)T moet de HTTP V1.1-server dezelfde verificatie- en autorisatiemethode gebruiken die voor de console is ingesteld.
ip http server ! aaa new-model aaa authentication login CONSOLEandHTTP radius local aaa authorization exec CONSOLEandHTTP radius local ! ip http authentication aaa ! line con 0 login authentication CONSOLEandHTTP authorization exec CONSOLEandHTTP
HTTP V1.1-server - Na Cisco plug-in CSCeb82510
Met de integratie van Cisco bug ID CSCeb82510 (alleen geregistreerde klanten) in Cisco IOS-softwarereleases 12.3(7.3) en 12.3(7.3)T kan de HTTP-server onafhankelijke verificatie- en autorisatiemethoden op eigen kracht gebruiken, met nieuwe zoekwoorden in de ip http authenticatie. De nieuwe sleutelwoorden zijn:
router(config)#ip http authentication aaa command-authorization listname router(config)#ip http authentication aaa exec-authorization listname router(config)#ip http authentication aaa login-authentication listname
Dit is een voorbeeld-uitvoer:
ip http server ! aaa new-model aaa authentication login HTTPonly radius local aaa authorization exec HTTPonly radius local ! ip http authentication aaa ip http authentication aaa exec-authorization HTTPonly ip http authentication aaa login-authentication HTTPonly
Debuggen
Geef deze debug opdrachten uit om problemen met HTTP-verificatie/autorisatie op te lossen:
debug ip tcp transactions debug modem !--- If you use the HTTP 1.0 server. debug ip http authentication debug aaa authentication debug aaa authorization debug radius !--- If you use RADIUS. debug tacacs !--- If you use TACACS+.
Deze uitvoer toont een paar voorbeelden:
*Apr 23 13:12:16.871: TCB626DD444 created
*Apr 23 13:12:16.871: TCP0: state was LISTEN -> SYNRCVD [80 -> 64.101.98.203(19662)]
*Apr 23 13:12:16.871: TCP0: Connection to 64.101.98.203:19662, received MSS 1460, MSS is 516
*Apr 23 13:12:16.875: TCP: sending SYN, seq 2078657456, ack 2459301798
*Apr 23 13:12:16.875: TCP0: Connection to 64.101.98.203:19662, advertising MSS 536
*Apr 23 13:12:16.899: TCP0: state was SYNRCVD -> ESTAB [80 -> 64.101.98.203(19662)]
!--- The TCP connection from the browser on 64.101.98.203 to the !--- local HTTP server is established.
*Apr 23 13:12:16.899: TCB62229100 accepting 626DD444 from 64.101.98.203.19662
*Apr 23 13:12:16.899: TCB626DD444 setting property TCP_PID (8) 626FEC84
*Apr 23 13:12:16.899: TCB626DD444 setting property TCP_NO_DELAY (1) 626FEC88
*Apr 23 13:12:16.899: TCB626DD444 setting property TCP_NONBLOCKING_WRITE (10) 626FED14
*Apr 23 13:12:16.899: TCB626DD444 setting property TCP_NONBLOCKING_READ (14) 626FED14
*Apr 23 13:12:16.899: TCB626DD444 setting property unknown (15) 626FED14
*Apr 23 13:12:16.919: HTTP AAA Login-Authentication List name: HTTPauthen
*Apr 23 13:12:16.919: HTTP AAA Exec-Authorization List name: HTTPauthor
*Apr 23 13:12:16.919: AAA/AUTHEN/LOGIN (00000000): Pick method list 'HTTPauthen'
!--- Uses 'HTTPauthen' as the login authentication method.
*Apr 23 13:12:16.919: RADIUS/ENCODE(00000000):Orig. component type = INVALID
*Apr 23 13:12:16.919: RADIUS/ENCODE(00000000): dropping service type,
"radius-server attribute 6 on-for-login-auth" is off
*Apr 23 13:12:16.919: RADIUS(00000000): Config NAS IP: 0.0.0.0
*Apr 23 13:12:16.919: RADIUS(00000000): sending
*Apr 23 13:12:16.919: RADIUS/ENCODE: Best Local IP-Address 172.16.175.103 for
Radius-Server 10.1.2.3
*Apr 23 13:12:16.919: RADIUS(00000000): Send Access-Request to 10.1.2.3:1645 id 1645/2, len 51
*Apr 23 13:12:16.919: RADIUS: authenticator 5F 6E E6 C1 3E 40 5D E2 - FB AC E8 E8 E4 93 BA 98
*Apr 23 13:12:16.919: RADIUS: User-Name [1] 7 "cisco"
*Apr 23 13:12:16.919: RADIUS: User-Password [2] 18 *
*Apr 23 13:12:16.919: RADIUS: NAS-IP-Address [4] 6 172.16.175.103
!--- Sent an Access-Request to the RADIUS server !--- at 10.1.2.3 using the username of "cisco".
*Apr 23 13:12:21.923: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/2
*Apr 23 13:12:26.923: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/2
*Apr 23 13:12:31.923: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/2
*Apr 23 13:12:36.923: RADIUS: No response from (10.1.2.3:1645,1646) for id 1645/2
*Apr 23 13:12:36.923: RADIUS/DECODE: parse response no app start; FAIL
*Apr 23 13:12:36.923: RADIUS/DECODE: parse response; FAIL
*Apr 23 13:12:36.923: AAA/AUTHOR (0x0): Pick method list 'HTTPauthor'
*Apr 23 13:12:36.923: RADIUS/ENCODE(00000000):Orig. component type = INVALID
*Apr 23 13:12:36.923: RADIUS(00000000): Config NAS IP: 0.0.0.0
*Apr 23 13:12:36.923: RADIUS(00000000): sending
*Apr 23 13:12:36.923: RADIUS/ENCODE: Best Local IP-Address 172.16.175.103
for Radius-Server 10.1.2.3
*Apr 23 13:12:36.923: RADIUS(00000000): Send Access-Request to 10.1.2.3:1645
id 1645/3, len 57
*Apr 23 13:12:36.927: RADIUS: authenticator AA DB 63 E1 D4 BF 23 9E -
49 71 78 42 A5 A3 44 B8
*Apr 23 13:12:36.927: RADIUS: User-Name [1] 7 "cisco"
*Apr 23 13:12:36.927: RADIUS: User-Password [2] 18 *
*Apr 23 13:12:36.927: RADIUS: Service-Type [6] 6 Outbound [5]
*Apr 23 13:12:36.927: RADIUS: NAS-IP-Address [4] 6 172.16.175.103
*Apr 23 13:12:41.927: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/3
*Apr 23 13:12:46.927: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/3
*Apr 23 13:12:51.927: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/3
*Apr 23 13:12:56.927: RADIUS: No response from (10.1.2.3:1645,1646) for id 1645/3
*Apr 23 13:12:56.927: RADIUS/DECODE: parse response no app start; FAIL
*Apr 23 13:12:56.927: RADIUS/DECODE: parse response; FAIL
*Apr 23 13:12:56.927: HTTP: Authentication failed for level 15
!--- Authentication has failed due to no response from the RADIUS server.
*Apr 23 13:12:56.927: TCB626DD444 shutdown writing
*Apr 23 13:12:56.927: TCP0: state was ESTAB -> FINWAIT1 [80 -> 64.101.98.203(19662)]
*Apr 23 13:12:56.927: TCP0: sending FIN
*Apr 23 13:12:56.967: TCP0: state was FINWAIT1 -> FINWAIT2 [80 -> 64.101.98.203(19662)]
*Apr 23 13:12:56.967: TCP0: FIN processed
*Apr 23 13:12:56.971: TCP0: state was FINWAIT2 -> TIMEWAIT [80 -> 64.101.98.203(19662)]
*Apr 23 13:13:10.227: TCP0: state was TIMEWAIT -> CLOSED [80 -> 64.101.98.203(16260)]
*Apr 23 13:13:10.227: TCB 0x626DCFA0 destroyed
!--- The TCP connection to the browser 64.101.93.203 is closed.
Feedback