Cisco服务器http显示内容,IOS HTTP服务器的AAA控制

weixin_39573136

于 2021-08-06 11:53:42 发布

阅读量438

点赞数

文章标签： Cisco服务器http显示内容

本文档显示如何通过身份验证、授权和记帐(AAA)控制对Cisco IOS® HTTP服务器的访问。使用AAA访问Cisco IOS HTTP服务器的控制因Cisco IOS软件版本而异。

本文档没有任何特定的要求。

本文档不限于特定的软件和硬件版本。

有关文档规则的详细信息，请参阅 Cisco 技术提示规则。

发出exec命令show subsys name http，以查看您拥有的HTTP服务器的版本。

router1#show subsys name http

Class Version

http Protocol 1.001.001

这是一个带有HTTP V1.1服务器的系统。Cisco IOS软件版本12.2(15)T和所有Cisco IOS软件版本12.3都有HTTP V1.1。

router2#show subsys name http

Class Version

http Protocol 1.000.001

这是一个具有HTTP V1服务器的系统。早于12.2(15)T的思科IOS软件版本(包括思科IOS软件版本12.2(15)JA和12.2(15)XR)具有HTTP V1。

在包含HTTP V1服务器的Cisco IOS软件版本中，HTTP会话使用虚拟终端线路(vty)。因此，HTTP身份验证和授权使用为vty配置的相同方法进行控制。

ip http server

aaa new-model

aaa authentication login VTYSandHTTP radius local

aaa authorization exec VTYSandHTTP radius local

ip http authentication aaa

line vty 0 19

!--- The number of vtys you have.

authorization exec VTYSandHTTP

在带有HTTP V1.1服务器的Cisco IOS软件版本中，HTTP会话不使用vty。他们使用插座。

在集成Cisco IOS软件版本12.3(7.3)和12.3(7.3)T中的Cisco Bug ID CSCeb82510(仅限注册客户)之前，HTTP V1.1服务器必须使用为控制台配置的相同身份验证和授权方法。

ip http server

aaa new-model

aaa authentication login CONSOLEandHTTP radius local

aaa authorization exec CONSOLEandHTTP radius local

ip http authentication aaa

line con 0

authorization exec CONSOLEandHTTP

通过集成Cisco IOS软件版本12.3(7.3)和12.3(7.3)T中的Cisco Bug ID CSCeb82510(仅注册客户)，HTTP服务器可以使用其自己的独立身份验证和授权方法，并在ip http中添加新的关键字authentication aaa命令。新关键字为：

router(config)#ip http authentication aaa command-authorization listname

router(config)#ip http authentication aaa exec-authorization listname

router(config)#ip http authentication aaa login-authentication listname

以下是输出示例：

ip http server

aaa new-model

aaa authentication login HTTPonly radius local

aaa authorization exec HTTPonly radius local

ip http authentication aaa

ip http authentication aaa exec-authorization HTTPonly

ip http authentication aaa login-authentication HTTPonly

发出以下debug命令以排除HTTP身份验证/授权问题：

debug ip tcp transactions

debug modem

!--- If you use the HTTP 1.0 server.

debug ip http authentication

debug aaa authentication

debug aaa authorization

debug radius

!--- If you use RADIUS.

debug tacacs

!--- If you use TACACS+.

此输出显示了一些调试示例：

*Apr 23 13:12:16.871: TCB626DD444 created

*Apr 23 13:12:16.871: TCP0: state was LISTEN -> SYNRCVD [80 -> 64.101.98.203(19662)]

*Apr 23 13:12:16.871: TCP0: Connection to 64.101.98.203:19662, received MSS 1460, MSS is 516

*Apr 23 13:12:16.875: TCP: sending SYN, seq 2078657456, ack 2459301798

*Apr 23 13:12:16.875: TCP0: Connection to 64.101.98.203:19662, advertising MSS 536

*Apr 23 13:12:16.899: TCP0: state was SYNRCVD -> ESTAB [80 -> 64.101.98.203(19662)]

!--- The TCP connection from the browser on 64.101.98.203 to the !--- local HTTP server is established.

*Apr 23 13:12:16.899: TCB62229100 accepting 626DD444 from 64.101.98.203.19662

*Apr 23 13:12:16.899: TCB626DD444 setting property TCP_PID (8) 626FEC84

*Apr 23 13:12:16.899: TCB626DD444 setting property TCP_NO_DELAY (1) 626FEC88

*Apr 23 13:12:16.899: TCB626DD444 setting property TCP_NONBLOCKING_WRITE (10) 626FED14

*Apr 23 13:12:16.899: TCB626DD444 setting property TCP_NONBLOCKING_READ (14) 626FED14

*Apr 23 13:12:16.899: TCB626DD444 setting property unknown (15) 626FED14

*Apr 23 13:12:16.919: HTTP AAA Login-Authentication List name: HTTPauthen

*Apr 23 13:12:16.919: HTTP AAA Exec-Authorization List name: HTTPauthor

*Apr 23 13:12:16.919: AAA/AUTHEN/LOGIN (00000000): Pick method list 'HTTPauthen'

!--- Uses 'HTTPauthen' as the login authentication method.

*Apr 23 13:12:16.919: RADIUS/ENCODE(00000000):Orig. component type = INVALID

*Apr 23 13:12:16.919: RADIUS/ENCODE(00000000): dropping service type,

"radius-server attribute 6 on-for-login-auth" is off

*Apr 23 13:12:16.919: RADIUS(00000000): Config NAS IP: 0.0.0.0

*Apr 23 13:12:16.919: RADIUS(00000000): sending

*Apr 23 13:12:16.919: RADIUS/ENCODE: Best Local IP-Address 172.16.175.103 for

Radius-Server 10.1.2.3

*Apr 23 13:12:16.919: RADIUS(00000000): Send Access-Request to 10.1.2.3:1645 id 1645/2, len 51

*Apr 23 13:12:16.919: RADIUS: authenticator 5F 6E E6 C1 3E 40 5D E2 - FB AC E8 E8 E4 93 BA 98

*Apr 23 13:12:16.919: RADIUS: User-Name [1] 7 "cisco"

*Apr 23 13:12:16.919: RADIUS: User-Password [2] 18 *

*Apr 23 13:12:16.919: RADIUS: NAS-IP-Address [4] 6 172.16.175.103

!--- Sent an Access-Request to the RADIUS server !--- at 10.1.2.3 using the username of "cisco".

*Apr 23 13:12:21.923: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/2

*Apr 23 13:12:26.923: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/2

*Apr 23 13:12:31.923: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/2

*Apr 23 13:12:36.923: RADIUS: No response from (10.1.2.3:1645,1646) for id 1645/2

*Apr 23 13:12:36.923: RADIUS/DECODE: parse response no app start; FAIL

*Apr 23 13:12:36.923: RADIUS/DECODE: parse response; FAIL

*Apr 23 13:12:36.923: AAA/AUTHOR (0x0): Pick method list 'HTTPauthor'

*Apr 23 13:12:36.923: RADIUS/ENCODE(00000000):Orig. component type = INVALID

*Apr 23 13:12:36.923: RADIUS(00000000): Config NAS IP: 0.0.0.0

*Apr 23 13:12:36.923: RADIUS(00000000): sending

*Apr 23 13:12:36.923: RADIUS/ENCODE: Best Local IP-Address 172.16.175.103

for Radius-Server 10.1.2.3

*Apr 23 13:12:36.923: RADIUS(00000000): Send Access-Request to 10.1.2.3:1645

id 1645/3, len 57

*Apr 23 13:12:36.927: RADIUS: authenticator AA DB 63 E1 D4 BF 23 9E -

49 71 78 42 A5 A3 44 B8

*Apr 23 13:12:36.927: RADIUS: User-Name [1] 7 "cisco"

*Apr 23 13:12:36.927: RADIUS: User-Password [2] 18 *

*Apr 23 13:12:36.927: RADIUS: Service-Type [6] 6 Outbound [5]

*Apr 23 13:12:36.927: RADIUS: NAS-IP-Address [4] 6 172.16.175.103

*Apr 23 13:12:41.927: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/3

*Apr 23 13:12:46.927: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/3

*Apr 23 13:12:51.927: RADIUS: Retransmit to (10.1.2.3:1645,1646) for id 1645/3

*Apr 23 13:12:56.927: RADIUS: No response from (10.1.2.3:1645,1646) for id 1645/3

*Apr 23 13:12:56.927: RADIUS/DECODE: parse response no app start; FAIL

*Apr 23 13:12:56.927: RADIUS/DECODE: parse response; FAIL

*Apr 23 13:12:56.927: HTTP: Authentication failed for level 15

!--- Authentication has failed due to no response from the RADIUS server.

*Apr 23 13:12:56.927: TCB626DD444 shutdown writing

*Apr 23 13:12:56.927: TCP0: state was ESTAB -> FINWAIT1 [80 -> 64.101.98.203(19662)]

*Apr 23 13:12:56.927: TCP0: sending FIN

*Apr 23 13:12:56.967: TCP0: state was FINWAIT1 -> FINWAIT2 [80 -> 64.101.98.203(19662)]

*Apr 23 13:12:56.967: TCP0: FIN processed

*Apr 23 13:12:56.971: TCP0: state was FINWAIT2 -> TIMEWAIT [80 -> 64.101.98.203(19662)]

*Apr 23 13:13:10.227: TCP0: state was TIMEWAIT -> CLOSED [80 -> 64.101.98.203(16260)]

*Apr 23 13:13:10.227: TCB 0x626DCFA0 destroyed

!--- The TCP connection to the browser 64.101.93.203 is closed.

weixin_39573136

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Cisco服务器http显示内容,IOS HTTP服务器的AAA控制

本文档显示如何通过身份验证、授权和记帐(AAA)控制对Cisco IOS® HTTP服务器的访问。使用AAA访问Cisco IOS HTTP服务器的控制因Cisco IOS软件版本而异。本文档没有任何特定的要求。本文档不限于特定的软件和硬件版本。有关文档规则的详细信息，请参阅 Cisco 技术提示规则。发出exec命令show subsys name http，以查看您拥有的HTTP服务器的版本...
复制链接

扫一扫