Hypertext Transfer Protocol

HTTP, used by web browsers and web servers, transfers files, such as text and graphic files. HTTP can also authenticate users with username and password verification between clients and web servers.

Cisco IOS routers can be configured from a browser client. By default, Cisco routers are disabled for HTTP servers (HTTP is enabled by default on a few Cisco 1000 models, namely the Cisco 1003, 1004, and 1005 model routers), and there have been issues with users entering certain hash pairs to gain access to configuration commands when HTTP has been enabled. Fortunately, the latest versions of Cisco IOS code have been strengthened, and users must now enter valid username and password pairings (which means a hashed pair can be checked; only a valid username/password pair can produce the required hash) to gain access to the configuration options. HTTP authentication is not very secure, so Secure Sockets Layer (SSL) was developed to provide a stronger method to authenticate HTTP users.

NOTE For more details on the HTTP security vulnerability with Cisco IOS software, visit http://www.cisco.com/en/US/products/products_security_advisory09186a00800b1393.shtml.

To view the router's home page, use a web browser pointed to http://a.b.c.d, where a.b.c.d is the IP address of your router or access server. If a name has been set via a DNS server, use http://


Figure 2-4 displays a sample HTTP request to a remote router with the IP address displaying the request for a valid username and password. The default username is the Cisco router's local host name, and the password is set to the enable or secret password.

Figure 2-4 HTTP Authentication on a Cisco Router

Figure 2-4 HTTP Authentication on a Cisco Router

After the user is authenticated, the user enters the remote IP address or DNS name.

Varying forms of authentication for login can be set using the ip http authentication command. However, the default login method is to enter the host name as the username and the enable or secret password as the password, as displayed in Figure 2-4.

After the user is authenticated with the correct username and password pairing, the user is permitted HTTP access. Figure 2-5 displays the options available after authentication. Note that the HTML options may be different, depending on the Cisco IOS revision of your router.

After HTTP is authenticated, the available options are identical to the command-line interface (CLI) prompt. Depending on the configurable username and password pairing on the router, you will have certain privilege levels. For example, if you type the username as the local host name of the Cisco IOS router and the enable or secret password as completed in Figure 2-5, you will have privilege level 15, which is the same as the PRIV level on the CLI permitting all Cisco IOS commands. If the username/password pairing has a lower privilege level (via the ip http authentication command), the corresponding Cisco IOS command set will be available via HTTP. For example, a user with privilege level 5 will not have the option to reload the router. The user can also click the option (via the HTTP GUI interface) labeled Monitor the router, as shown in Figure 2-5, to access the CLI.

Figure 2-5 HTTP Web Page on a Cisco Router

Figure 2-5 HTTP Web Page on a Cisco Router

NOTE The command to disable an HTTP server on a Cisco router is no ip http server. To set username/password pairs, use the following Cisco IOS command: username username privilege [0-15] password password

You can also define the HTTP port number with the following command:

ip http [0-65535]

The default is 80. You can restrict access to the router by using an access list that defines networks and/or hosts permitted to access the router via HTTP.

0 0

Post a comment