IOS HTTP伺服器的AAA控制

下載選項

PDF (226.0 KB)
在多種裝置上使用 Adobe Reader 檢視
ePub (79.4 KB)
在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視
Mobi (Kindle) (66.0 KB)
在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視

已更新: 2008 年 8 月 28 日

文件 ID:63910

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的，無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言，或引用第三方產品的語言，因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件，讓全世界的使用者能夠以自己的語言理解支援內容。請注意，即使是最佳機器翻譯，也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責，並建議一律查看原始英文文件（提供連結）。

簡介

本文顯示如何透過驗證、授權及記帳(AAA)控制對Cisco IOS® HTTP伺服器的存取。對使用AAA的Cisco IOS HTTP伺服器的訪問的控制因Cisco IOS軟體版本而異。

必要條件

需求

本文件沒有特定需求。

採用元件

本文件所述內容不限於特定軟體和硬體版本。

慣例

如需文件慣例的詳細資訊，請參閱思科技術提示慣例。

確定您使用的HTTP伺服器版本

發出exec命令show subsys name http以檢視您的HTTP伺服器版本。

router1#show subsys name http

                    Class         Version   
http                Protocol    1.001.001

這是使用HTTP V1.1伺服器的系統。Cisco IOS軟體版本12.2(15)T和所有Cisco IOS軟體版本12.3都使用HTTP V1.1。

router2#show subsys name http

                    Class         Version   
http                Protocol    1.000.001

這是使用HTTP V1伺服器的系統。低於12.2(15)T的Cisco IOS軟體版本(包括Cisco IOS軟體版本12.2(15)JA和12.2(15)XR)具有HTTP V1。

採用HTTP V1伺服器的Cisco IOS軟體

在包含HTTP V1伺服器的Cisco IOS軟體版本中，HTTP作業階段使用虛擬終端線路(vty)。因此，HTTP身份驗證和授權使用為vty配置的相同方法控制。

ip http server
!
aaa new-model
aaa authentication login VTYSandHTTP radius local
aaa authorization exec VTYSandHTTP radius local
!
ip http authentication aaa
!
line vty 0 19  

!--- The number of vtys you have.

 login authentication VTYSandHTTP
 authorization exec VTYSandHTTP

採用HTTP V1.1伺服器的Cisco IOS軟體

在使用HTTP V1.1伺服器的Cisco IOS軟體版本中，HTTP會話不使用vty。他們使用插座。

HTTP V1.1伺服器 — 思科錯誤ID CSCeb82510之前

在Cisco IOS軟體版本12.3(7.3)和12.3(7.3)T中整合Cisco錯誤ID CSCeb82510(僅限註冊客戶)之前，HTTP V1.1伺服器必須使用為主控台設定的相同驗證和授權方法。

ip http server
!
aaa new-model
aaa authentication login CONSOLEandHTTP radius local
aaa authorization exec CONSOLEandHTTP radius local
!
ip http authentication aaa
!
line con 0
 login authentication CONSOLEandHTTP
 authorization exec CONSOLEandHTTP

HTTP V1.1伺服器 — 思科錯誤ID CSCeb82510之後

藉由在Cisco IOS軟體版本12.3(7.3)和12.3(7.3)T中整合Cisco錯誤ID CSCeb82510(僅供註冊客戶使用),HTTP伺服器可以使用其自己的獨立驗證和授權方法，並在ip http authentication aaa指令中使用新關鍵字。新關鍵字包括：

router(config)#ip http authentication aaa command-authorization listname

router(config)#ip http authentication aaa exec-authorization listname

router(config)#ip http authentication aaa login-authentication listname

以下是輸出範例：

ip http server
!
aaa new-model
aaa authentication login HTTPonly radius local
aaa authorization exec HTTPonly radius local
!
ip http authentication aaa
ip http authentication aaa exec-authorization HTTPonly
ip http authentication aaa login-authentication HTTPonly

調試

發出以下debug命令，以疑難排解HTTP驗證/授權問題：

debug ip tcp transactions
debug modem 

!--- If you use the HTTP 1.0 server.

debug ip http authentication
debug aaa authentication
debug aaa authorization
debug radius 

!--- If you use RADIUS.

debug tacacs  

!--- If you use TACACS+.

此輸出顯示一些調試示例：

*Apr 23 13:12:16.871: TCB626DD444 created
*Apr 23 13:12:16.871: TCP0: state was LISTEN -> SYNRCVD [80 -> 64.101.98.203(19662)]
*Apr 23 13:12:16.871: TCP0: Connection to 64.101.98.203:19662, received MSS 1460, MSS is 516
*Apr 23 13:12:16.875: TCP: sending SYN, seq 2078657456, ack 2459301798
*Apr 23 13:12:16.875: TCP0: Connection to 64.101.98.203:19662, advertising MSS 536
*Apr 23 13:12:16.899: TCP0: state was SYNRCVD -> ESTAB [80 -> 64.101.98.203(19662)]


!--- The TCP connection from the browser on 64.101.98.203 to the !--- local HTTP server is established.


*Apr 23 13:12:16.899: TCB62229100 accepting 626DD444 from 64.101.98.203.19662
*Apr 23 13:12:16.899: TCB626DD444 setting property TCP_PID (8) 626FEC84
*Apr 23 13:12:16.899: TCB626DD444 setting property TCP_NO_DELAY (1) 626FEC88
*Apr 23 13:12:16.899: TCB626DD444 setting property TCP_NONBLOCKING_WRITE (10) 626FED14
*Apr 23 13:12:16.899: TCB626DD444 setting property TCP_NONBLOCKING_READ (14) 626FED14
*Apr 23 13:12:16.899: TCB626DD444 setting property unknown (15) 626FED14
*Apr 23 13:12:16.919: HTTP AAA Login-Authentication List name: HTTPauthen
*Apr 23 13:12:16.919: HTTP AAA Exec-Authorization List name: HTTPauthor
*Apr 23 13:12:16.919: AAA/AUTHEN/LOGIN (00000000): Pick method list 'HTTPauthen' 


!--- Uses 'HTTPauthen' as the login authentication method.


*Apr 23 13:12:16.919: RADIUS/ENCODE(00000000):Orig. component type = INVALID
*Apr 23 13:12:16.919: RADIUS/ENCODE(00000000): dropping service type, 
"radius-server attribute 6 on-for-login-auth" is off
*Apr 23 13:12:16.919: RADIUS(00000000): Config NAS IP: 0.0.0.0
*Apr 23 13:12:16.919: RADIUS(00000000): sending
*Apr 23 13:12:16.919: RADIUS/ENCODE: Best Local IP-Address 172.16.175.103 for 
Radius-Server 10.1.2.3
*Apr 23 13:12:16.919: RADIUS(00000000): Send Access-Request to 10.1.2.3:1645 id 1645/2, len 51
*Apr 23 13:12:16.919: RADIUS:  authenticator 5F 6E E6 C1 3E 40 5D E2 - FB AC E8 E8 E4 93 BA 98
*Apr 23 13:12:16.919: RADIUS:  User-Name           [1]   7   "cisco"
*Apr 23 13:12:16.919: RADIUS:  User-Password       [2]   18  *
*Apr 23 13:12:16.919: RADIUS:  NAS-IP-Address      [4]   6   172.16.175.103


!--- Sent an Access-Request to the RADIUS server !--- at 10.1.2.3 using the username of "cisco".
 
           
*Apr 23 13:12:21.923: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/2
*Apr 23 13:12:26.923: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/2
*Apr 23 13:12:31.923: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/2
*Apr 23 13:12:36.923: RADIUS: No response from (10.1.2.3:1645,1646) for id 1645/2
*Apr 23 13:12:36.923: RADIUS/DECODE: parse response no app start; FAIL
*Apr 23 13:12:36.923: RADIUS/DECODE: parse response; FAIL
*Apr 23 13:12:36.923: AAA/AUTHOR (0x0): Pick method list 'HTTPauthor'
*Apr 23 13:12:36.923: RADIUS/ENCODE(00000000):Orig. component type = INVALID
*Apr 23 13:12:36.923: RADIUS(00000000): Config NAS IP: 0.0.0.0
*Apr 23 13:12:36.923: RADIUS(00000000): sending
*Apr 23 13:12:36.923: RADIUS/ENCODE: Best Local IP-Address 172.16.175.103 
for Radius-Server 10.1.2.3
*Apr 23 13:12:36.923: RADIUS(00000000): Send Access-Request to 10.1.2.3:1645 
id 1645/3, len 57
*Apr 23 13:12:36.927: RADIUS:  authenticator AA DB 63 E1 D4 BF 23 9E - 
49 71 78 42 A5 A3 44 B8
*Apr 23 13:12:36.927: RADIUS:  User-Name           [1]   7   "cisco"
*Apr 23 13:12:36.927: RADIUS:  User-Password       [2]   18  *
*Apr 23 13:12:36.927: RADIUS:  Service-Type        [6]   6   Outbound     [5]
*Apr 23 13:12:36.927: RADIUS:  NAS-IP-Address      [4]   6   172.16.175.103            
*Apr 23 13:12:41.927: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/3
*Apr 23 13:12:46.927: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/3
*Apr 23 13:12:51.927: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/3
*Apr 23 13:12:56.927: RADIUS: No response from (10.1.2.3:1645,1646) for id 1645/3
*Apr 23 13:12:56.927: RADIUS/DECODE: parse response no app start; FAIL
*Apr 23 13:12:56.927: RADIUS/DECODE: parse response; FAIL
*Apr 23 13:12:56.927: HTTP: Authentication failed for level 15


!--- Authentication has failed due to no response from the RADIUS server.


*Apr 23 13:12:56.927: TCB626DD444 shutdown writing
*Apr 23 13:12:56.927: TCP0: state was ESTAB -> FINWAIT1 [80 -> 64.101.98.203(19662)]
*Apr 23 13:12:56.927: TCP0: sending FIN
*Apr 23 13:12:56.967: TCP0: state was FINWAIT1 -> FINWAIT2 [80 -> 64.101.98.203(19662)]
*Apr 23 13:12:56.967: TCP0: FIN processed
*Apr 23 13:12:56.971: TCP0: state was FINWAIT2 -> TIMEWAIT [80 -> 64.101.98.203(19662)]
*Apr 23 13:13:10.227: TCP0: state was TIMEWAIT -> CLOSED [80 -> 64.101.98.203(16260)]
*Apr 23 13:13:10.227: TCB 0x626DCFA0 destroyed


!--- The TCP connection to the browser 64.101.93.203 is closed.