Authenticating HTTP requests with AAA

Wednesday, April 04, 2007

By default, IOS routers use enable passwords to authenticate incoming HTTP (web) requests. You could also use local usernames as the authentication mechanism, or you could deploy full-blown AAA-based solution.To enable AAA-based HTTP authentication, you have to define two AAA lists (authentication login and authorization exec) and bind them to the HTTP server with the ip http authentication aaa command. A working configuration example is included below (this one uses AAA-based local username authentication, but of course you can replace that with RADIUS- or TACACS-based one).

aaa authentication login web local
aaa authorization exec web local
!
ip http authentication aaa login-authentication web
ip http authentication aaa exec-authorization web
Warning: the router executes AAA authentication/authorization for every HTTP request sent by the browser. It's thus very hard to integrate this solution with one-time passwords (unless you can cache the credentials on the AAA server).

Tags: ,

0 comments:

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.