Hypertext Transfer Protocol

Hypertext Transfer Protocol (HTTP), used by web browsers and web servers, transfers files, such as text and graphic files. HTTP can also authenticate users with username and password verification between client and web servers.

Cisco IOS routers can be configured from a browser client. By default, Cisco routers are disabled for HTTP server (HTTP is enabled by default on a few Cisco 1000 models, namely the Cisco 1003,1004, and 1005 model routers), and there have been issues with users entering certain hash pairs to gain access to configuration commands when HTTP has been enabled. Fortunately, the latest versions of Cisco IOS code have been strengthened, and users must now enter valid username and password pairings to gain access to the configuration options. HTTP authentication is not very secure, so Secure Socket Layer (SSL) was developed to allow a stronger method to authenticate HTTP users.

NOTE For more details on the HTTP security vulnerability with Cisco IOS, please visit www.cisco.com/warp/public/707/ioshttpserver-pub.shtml

To view the router's home page, use a web browser pointed to http://a.b.c.d, where a.b.c.d is the IP address of your router or access server. If a name has been set via a DNS server, use http://router-name.

Figure 3-4 displays a sample HTTP request to a remote router with the IP address 10.66.32.5 displaying the request for a valid username and password. The default username is the Cisco router's local host name, and the password is set to the enable or secret password.

Figure 3-4 HTTP Authentication on a Cisco Router

IP Address of Remote Router

Figure 3-4 HTTP Authentication on a Cisco Router

IP Address of Remote Router

Username and password are entered here.

After the user is authenticated, the user enters the remote IP address or DNS name.

Varying forms of authentication for login can be set using the ip http authentication command. However, the default login method is entering the host name as the username and the enable or secret password as the password, as displayed in Figure 3-4.

After the user is authenticated with the correct username and password pairing, the user is permitted HTTP access. Figure 3-5 displays the options available after authentication.

After HTTP is authenticated, the available options are identical to the command-line interface (CLI) prompt. Depending on the configurable username and password pairing on the router, you will have certain privileged levels. For example, if you type the username as the local host name of the IOS router and the enable or secret password as completed in Figure 3-5, you will have privilege level 15, which is the same as the PRIV level on the CLI permitting all IOS commands. If the username/password pairing has a lower privileged level (via the ip http authentication command), the corresponding IOS command set will be available via HTTP. For example, a user with privilege level 5 will not have the option to reload the router.

Figure 3-5 HTTP Web Page on a Cisco Router

HTTP options; simply click to expand IOS command set.

Help Options

Figure 3-5 HTTP Web Page on a Cisco Router

HTTP options; simply click to expand IOS command set.

Help Options

NOTE The command to disable HTTP server on a Cisco router is no ip http server. To set username/password pairs, use the following IOS command:

username username privilege [0-15] password password

You can also define the HTTP port number with the following command:

ip http [0-65535]

The default is 80.

0 0

Post a comment