Authenticating HTTP requests with AAA

By default, IOS routers use enable passwords to authenticate incoming HTTP (web) requests. You could also use local usernames as the authentication mechanism, or you could deploy full-blown AAA-based solution. To enable AAA-based HTTP authentication, you have to define two AAA lists (authentication login and authorization exec) and bind them to the HTTP server with the ip http authentication aaa command. A working configuration example is included below (this one uses AAA-based local username authentication, but of course you can replace that with RADIUS- or TACACS-based one).
aaa authentication login web local
aaa authorization exec web local
ip http authentication aaa login-authentication web
ip http authentication aaa exec-authorization web
Warning: the router executes AAA authentication/authorization for every HTTP request sent by the browser. It's thus very hard to integrate this solution with one-time passwords (unless you can cache the credentials on the AAA server).
Add comment