cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
100866
Views
0
Helpful
0
Comments
TCC_2
Level 10
Level 10

 

Introduction:

This document describes how to configure HTTP Access using Local Authentication.

 

What is Local Authetication?

Local authentication can be defined as a method where AAA performs function of Authentication using an internal database without taking aid of an external database. When local AAA is running, user gets authentication after providing login credentials (Username and Password)which should be available in the configuration of the device. Some commonly used methods for local authentication through console access are mentioned below:

  • Telnet
  • Serial
  • SSH
  • Enable
  • HTTP access which is required for ASDM

 

For local authentication user can use cut-through proxy also. Some types are mentioned below:

  • Telnet traffic
  • FTP traffic
  • HTTP traffic
  • HTTPS traffic

 

This implies authentication for a user can be done when he/she passes Telnet, HTTPS traffic,FTP passing through the security appliance.

Core issue

 

Cisco routers permit a user to connect to a router using HTTP. You must explicitly enable this functionality and also implement the security mechanism to permit such connections. 

After using HTTP to log in to the router, the user is prompted for the username and password. After the authentication and authorization, the user is given a certain privilege level. That privilege could also allow the user to execute a certain set of specified user commands.

 

Note: Before implementing the procedures in this case, refer to Cisco Security Advisory on IOS HTTP Authorization Vulnerability.

 

Resolution

This is a sample configuration of local authentication with Cisco IOS  Software Releases 11.3.3.T or later:

aaa new-model

!---Enable Authentication, Authorization and Accounting (AAA).

aaa authentication login default local

!---By default, use local authentication.

aaa authorization exec default local

username one privilege 15 password one

!--- User one is given privilege Level 15 (L15) and can execute all L15 commands.

username three password three

username four privilege 7 password four

!--- User four is given privilege Level 7 (L7) and can execute all commands for L7.

ip http server

!--- Enable HTTP connectivity to the router.

ip http authentication local

!---Specify local authentication for HTTP connections.

privilege exec L7 clear line

!---Change the clear line command to a privilege L7 command (so user four can execute it).

 

The users configured experience this behavior when they attempt to connect:

 

User one:

 

  • The user passes Web authorization if the URL is entered as http://#.#.#.#.

 

  • After the user Telnets to the router, the user can perform all commands after login authentication.

 

  • After login, the user is in enable mode (the show privilege command is L15).

 

  • If command authorization is added to the router, the user still succeeds in all commands.

 

User three:

 

  • User fails Web authorization for not having a privilege level.

 

  • If there is a Telnet to the router, the user can perform all commands after login authentication.

 

  • User is in non-enable mode after login (The show privilege command is Level 1 [L1]).

 

  • If command authorization is added to the router, the user still succeeds in all commands.

 

User four:

 

  • L1 commands plus the L7 clear line command appears.

 

  • After a Telnet to the router, the user can perform all commands after login authentication.

 

  • User is at privilege L7 after login (The show privilege command is L7).

 

  • If command authorization is added to the router, the user still succeeds in all commands.

 

To address HTTP authentication problems, issue one of these commands:

 

  • debug aaa authentication: Displays information on AAA and TACACS+ authentication.

 

  • debug aaa authorization: Displays information on AAA and TACACS+ authorization.

 

  • debug radius: Displays detailed debugging information associated with RADIUS.

 

  • debug tacacs: Displays information associated with TACACS.

 

  • debug ip http authentication: Displays the authentication method the router attempted and authentication-specific status messages.

 

For more information, refer to Sample Configuration: Local Authentication for HTTP Server Users.

 

Cisco IOS Software Version

 

  • 12.0

 

  • 12.1

 

  • 12.2

 

  • 12.3
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: