Many Cisco devices allow access to the User and Privilege
modes via a web browser. Figure 2-5 shows an example of the opening screen
for a 2500 model router. While not as extensive or friendly as some
manufacturer’s web interfaces, it does enable the user to view the interfaces,
view the diagnostic log, ping the device, execute commands, and open a telnet
session.
For this feature to work, the ip http server
command must be issued in Global Configuration mode because the default is for
the service to be off. The command allows the device to act as an HTTP server.
Many company security policies require the feature to be turned off by issuing a
no ip http server command to reduce the exposure to
unauthorized access.
Another alternative is to use a standard ACL to limit which
host(s) can access the device from a web interface. The basic steps include the
ip http server command, any ACL statement(s) required to
define the authorized host, and the ip http access- class {acl-num | acl-name} command. The following
lines show an example of the commands:
Rtr1#conf t
Rtr1(config)#ip http server
Rtr1(config)#access-list 90 permit 192.168.0.10
Rtr1(config)#access-list 90 permit 192.168.5.0 0.0.0.31
Rtr1(config)#access-list 90 permit 192.168.45.0 0.0.0.255
Rtr1(config)#ip http access-class 90
Rtr1(config)#^Z
Rtr1#
The lack of a permit any statement limits access to those
specifically defined in the permit statement(s). Any time the device is accessed
with a web browser, a login screen appears asking for a user name and password.
With the previous configuration, the device host name (Rtr1) would be the user
name and the enable secret password would be the password.
Controlling the access further is possible with the ip http authentication command, which supports several methods of
establishing the user name/password combinations. The syntax would be:
ip http authentication {aaa | enable | local |
tacacs}
Sections
Comments (0 posted)
Syndication
