Introduction:
This document describes how to configure HTTP Access using Local Authentication.
What is Local Authetication?
Local authentication can be defined as a method where AAA performs function of Authentication using an internal database without taking aid of an external database. When local AAA is running, user gets authentication after providing login credentials (Username and Password)which should be available in the configuration of the device. Some commonly used methods for local authentication through console access are mentioned below:
- Telnet
- Serial
- SSH
- Enable
- HTTP access which is required for ASDM
For local authentication user can use cut-through proxy also. Some types are mentioned below:
- Telnet traffic
- FTP traffic
- HTTP traffic
- HTTPS traffic
This implies authentication for a user can be done when he/she passes Telnet, HTTPS traffic,FTP passing through the security appliance.
Core issue
Cisco routers permit a user to connect to a router using HTTP. You must explicitly enable this functionality and also implement the security mechanism to permit such connections.
After using HTTP to log in to the router, the user is prompted for the username and password. After the authentication and authorization, the user is given a certain privilege level. That privilege could also allow the user to execute a certain set of specified user commands.
Note: Before implementing the procedures in this case, refer to Cisco Security Advisory on IOS HTTP Authorization Vulnerability.
Resolution
This is a sample configuration of local authentication with Cisco IOS Software Releases 11.3.3.T or later:
aaa new-model
!---Enable Authentication, Authorization and Accounting (AAA).
aaa authentication login default local
!---By default, use local authentication.
aaa authorization exec default local
username one privilege 15 password one
!--- User one is given privilege Level 15 (L15) and can execute all L15 commands.
username three password three
username four privilege 7 password four
!--- User four is given privilege Level 7 (L7) and can execute all commands for L7.
ip http server
!--- Enable HTTP connectivity to the router.
ip http authentication local
!---Specify local authentication for HTTP connections.
privilege exec L7 clear line
!---Change the clear line command to a privilege L7 command (so user four can execute it).
The users configured experience this behavior when they attempt to connect:
User one:
- The user passes Web authorization if the URL is entered as http://#.#.#.#.
- After the user Telnets to the router, the user can perform all commands after login authentication.
- After login, the user is in enable mode (the show privilege command is L15).
- If command authorization is added to the router, the user still succeeds in all commands.
User three:
- User fails Web authorization for not having a privilege level.
- If there is a Telnet to the router, the user can perform all commands after login authentication.
- User is in non-enable mode after login (The show privilege command is Level 1 [L1]).
- If command authorization is added to the router, the user still succeeds in all commands.
User four:
- L1 commands plus the L7 clear line command appears.
- After a Telnet to the router, the user can perform all commands after login authentication.
- User is at privilege L7 after login (The show privilege command is L7).
- If command authorization is added to the router, the user still succeeds in all commands.
To address HTTP authentication problems, issue one of these commands:
- debug aaa authentication: Displays information on AAA and TACACS+ authentication.
- debug aaa authorization: Displays information on AAA and TACACS+ authorization.
- debug radius: Displays detailed debugging information associated with RADIUS.
- debug tacacs: Displays information associated with TACACS.
- debug ip http authentication: Displays the authentication method the router attempted and authentication-specific status messages.
For more information, refer to Sample Configuration: Local Authentication for HTTP Server Users.
Cisco IOS Software Version