Home/Support/Support Forum/Why does TACACS work for SSH but not HTTPS on WR21
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

Why does TACACS work for SSH but not HTTPS on WR21

0 votes
Im struggling with setting up TACACS on my device.
I have tried various configurations:
tacplus 0 svr "X.X.X.88"
tacplus 0 key "X"
tacplus 0 authent ON
tacplus 0 author ON
tacplus 0 localauth ON
tacplus 0 acct ON
Result:
SSH & Local: No
SSH & TACACS: Yes & Full Access
HTTPS & Local: No
HTTPS & TACACS: No

tacplus 0 svr "X.X.X.88"
tacplus 0 key "X"
tacplus 0 authent ON
tacplus 0 author ON
tacplus 0 localauth ON
Result:
SSH & Local: No
SSH & TACACS: Yes & Full Access
HTTPS & Local: No
HTTPS & TACACS: No

tacplus 0 svr "X.X.X.88"
tacplus 0 key "X"
tacplus 0 authent ON
tacplus 0 localauth ON
Result:
SSH & Local: No
SSH & TACACS: Yes but no access
HTTPS & Local: No
HTTPS & TACACS: Yes but no access

The aim is to get TACACS working to access it via SSH and HTTPS.
The results of each bit of config is above.
Anyone any ideas? I have ran out!
asked May 16 in Digi TransPort Cellular by Stevenlr New to the Community (0 points)

Please log in or register to answer this question.

1 Answer

0 votes
Hi

First Local Access is on used when the router cannot connect to TACACS server and then uses local authentication.

from the user guide

Functions of the AAA services
If TACACS+ authentication is enabled, the request is sent to the TACACS+ server. If disabled, the router performs the authentication. At this point authorization is also performed. If TACACS+ authorization is disabled, the user access level is obtained from the local user table on the router. If TACACS+ authorization is enabled, an authorization request is sent to the TACACS+ server. The server returns a privilege level and may also return other attributed such as a new idle time for this session, which takes precedence over locally configured values.

When the user has been authenticated and access has been authorized, the login is allowed. If the connection is via telnet or SSH, a welcome message showing the access level and the method of authentication is displayed. If the access level was assigned locally the following message is displayed:

from here

https://www.digi.com/resources/documentation/digidocs/90001019/default.htm#tasks/t_configure_tacacs.htm%3FTocPath%3DConfiguring%2520security%2520%7CUse%2520TACACS%252B%2520to%2520control%2520access%2520to%2520the%2520router%7C_____0

so if you do not enable authorisation the username has to match a user in the local database and the level comes from there and not the server.

in relation to HTTP/HTTPS this can have issues in connection what tacacs you are using as a cisco acs there are settings to allow after login the session is authorised and not the pages

regards

James
answered May 17 by James.Wilson Veteran of the Digi Community (1,032 points)
Thanks James, do you have any further details in regards to the HTTP/HTTPS issue? This is the main thing i am trying to sort so im struggling where to start.
Contact a Digi expert and get started today! Contact Us
...