How to configure HTTP access to a router using local authentication

https://supportforums.cisco.com/document/17691/how-configure-http-access-router-using-local-authentication

Resolution

This is a sample configuration of local authentication with Cisco IOS  Software Releases 11.3.3.T or later:

aaa new-model

!---Enable Authentication, Authorization and Accounting (AAA).

aaa authentication login default local

!---By default, use local authentication.

aaa authorization exec default local

username one privilege 15 password one

!--- User one is given privilege Level 15 (L15) and can execute all L15 commands.

username three password three

username four privilege 7 password four

!--- User four is given privilege Level 7 (L7) and can execute all commands for L7.

ip http server

!--- Enable HTTP connectivity to the router.

ip http authentication local

!---Specify local authentication for HTTP connections.

privilege exec L7 clear line

!---Change the clear line command to a privilege L7 command (so user four can execute it).

The users configured experience this behavior when they attempt to connect:

User one:

• The user passes Web authorization if the URL is entered as http://#.#.#.#.

• After the user Telnets to the router, the user can perform all commands after login authentication.

• After login, the user is in enable mode (the show privilege command is L15).

• If command authorization is added to the router, the user still succeeds in all commands.

User three:

• User fails Web authorization for not having a privilege level.

• If there is a Telnet to the router, the user can perform all commands after login authentication.

• User is in non-enable mode after login (The show privilege command is Level 1 [L1]).

• If command authorization is added to the router, the user still succeeds in all commands.

User four:

• User passes Web authorization if the URL is entered as http://#.#.#.#/level/7/exec.

• L1 commands plus the L7 clear line command appears.

• After a Telnet to the router, the user can perform all commands after login authentication.

• User is at privilege L7 after login (The show privilege command is L7).

• If command authorization is added to the router, the user still succeeds in all commands.

To address HTTP authentication problems, issue one of these commands:

• debug aaa authentication: Displays information on AAA and TACACS+ authentication.

• debug aaa authorization: Displays information on AAA and TACACS+ authorization.

• debug radius: Displays detailed debugging information associated with RADIUS.

• debug tacacs: Displays information associated with TACACS.

• debug ip http authentication: Displays the authentication method the router attempted and authentication-specific status messages.

For more information, refer to Sample Configuration: Local Authentication for HTTP Server Users.

Cisco IOS Software Version

• 12.0

• 12.1

• 12.2

• 12.3