HTTP access to Cisco Catalyst 3560 with no Authentication

Unanswered Question
Jan 27th, 2010

I have a client who has 6 switches currently configured on their local LAN. One switch which is a Catalyst 2950 has the Device Manager loaded, and when you access the site using the IP address by the URL http://206.x.x.x it brings up the switch Web GUI without any required authentication.  They also have a Cisco 3560 that has been recently updated to version 12.2(53) with the Device Manger as well.  However it prompts for authentication when accessing the URL of that device.  Is it possible to configure the 3560 to load up the Web GUI without authentication like the 2950 currently does?  The IT manager is very stern about using it that way, regardless of what risks it creates.


Thank you for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Wed, 01/27/2010 - 14:48

Hi Kyle


Can you disable http authentication on the switch using the command


no ip http authentication {enable | local | tacacs}


this will disable http authentication, but a high-risk security vulnerability...


Let us know..


Raj

kaggenuchc Wed, 01/27/2010 - 15:07

Thanks for your quick response.  I had tried using that command earlier in my troubleshooting steps.  I have even gone as far as to erase the current configuration using write erase, reload (with no as my response to save the config).  Still the WEB GUI prompts for authentication.  I do realize the high security risks, the IT manager for the client is the person in charge, I just get to make it work.  I wish I could access the Catalyst 2950, but currently telnet is not enabled, and there is no COM connection available to help me check the configuation between the two switches.  I am hoping that maybe I am just missing something.  If it would help, I can copy the relevant parts of my Catalyst configuration for review.


Thank you

Reza Sharifi Wed, 01/27/2010 - 15:25

HI Kyle,


I have never used the GUI, but can you logon to the witch using the GUI and just clear the password?


HTH

Reza

kaggenuchc Wed, 01/27/2010 - 16:00

This is a good idea, but sadly I went into the GUI and tried to remove the password and it told me that I had to specify a password.  Would not let me set it to blank.  By default the WEB GUI uses the enable password on the Cisco.  Currently the only way I can get into it is to specify a enable password from the CLI.  I am starting to wonder if maybe the current IOS release somehow fixed the ability to be able to use no authentication on the WEB GUI.   I am wondering if I need to load up an older IOS.


Thanks

sachinraja Wed, 01/27/2010 - 16:46

Ya Kyle..


It might just be because the newer IOS comes with some kind of security features inbuilt ! not sure if this is one among them..  999.99 out of 1000 would need authentication enabled (if http server is enabled)... and normally we dont leave them to default enable passwords, and redirect the requests to tacacs or atleast local authentication..


this is a very strange requirement.. am sure older IOS might just support authentication without passwords.. but i dont think it will be a good idea to revert back to older codes for such requirements.. the older code might have more vulnerabilities, and open bugs, and also can be short of feature sets that your new IOS supports..


somebody has to convey to your superior about the risk of downgrading the IOS... if you want, you can create a password like "a" and give , to make things easier to login


Hope this helps.. all the best


Raj

Actions

This Discussion

Related Content