Category: access control
CLI command logging without TACACS+
The Cisco IOS’s AAA architecture contains many handy features, including authorizing and logging every CLI command executed on the router. Unfortunately, the AAA command accounting only supports TACACS+ as the AAA transport protocol, making it unusable in RADIUS environments.
You can use Embedded Event Manager as a workaround. The following configuration commands will log every command executed on the router.
Use Cisco IOS FTP server to bypass Microsoft "security patch"
Microsoft decided a while ago to disable the ability to send username and password encoded in URL to a web server. This "security patch" also prevents you from serving files from Cisco IOS web server without explicit user login (IOS web server does not support anonymous access). However, as the Microsoft patch does not affect FTP, you can use FTP server embedded in most Cisco IOS images and download files to your web browser with the ftp://user:password@router/file URL.
To enable FTP server in Cisco IOS, use the ftp-server enable configuration command followed by the ftp-server topdir directory command which specifies the top-level FTP directory (for example, flash:). To authenticate FTP users, define local usernames with the username user password password configuration command.
add comment
To enable FTP server in Cisco IOS, use the ftp-server enable configuration command followed by the ftp-server topdir directory command which specifies the top-level FTP directory (for example, flash:). To authenticate FTP users, define local usernames with the username user password password configuration command.
Disable command execution with Cisco IOS web server
If you give your users guest access to a router, you might want to disable some web-based applications the router usually offers (for example, command execution). To do this, use the following steps (first supported in IOS release 12.3(14)T, integrated in 12.4):
add comment
- List all the web applications your Cisco IOS supports with the show ip http server session-module command. By default, all web applications should be active.
- Create a subset of applications you want to activate with the ip http session-module-list list-name module-list. global configuration command, for example.
- Activate the desired applications with the ip http active-session-modules list-name configuration command (you should also use the ip http secure-active-session-modules command if you've enabled HTTPS server).
- Verify the results with the show ip http server session-module command. Only the applications listed in your module list should be active, all others should be inactive.
ip http session-module-list NoExec HTTP_IFS,HOME_PAGE,QDM,QDM_SA,XML_Api,EzVPN-Web-Intercept
Include a default username/password in web request
I've got a great question related to a previous post:
add comment
Is there anyway to send the username and password with the URL request to the router so the user is not prompted for the login?You can specify username and password as part of standard URL syntax http://username:password@host/rest-of-url, so to execute a show ip interface brief command you could use this URL (after configuring multilevel web access on the router):
http://guest:guest@router/level/1/exec/show/ip/interface/briefNote: this syntax no longer works in Internet Explorer with latest security patches, please read http://support.microsoft.com/kb/834489 for more information on how to re-enable this behavior.