12-30-2011 11:31 AM - edited 03-10-2019 06:40 PM
Hi Everyone,
I have an interesting dilemma. I have a customer who used to own a 3750 with a older version of IOS. The switch he had used a three year old version of IOS which allowed him to browse to the switch IP and manage it via HTTP without entering a password at all. Now that he has a replacement switch with a new ver of IOS (since the previous switch died). We slapped the config on from the old switch but no matter what we do (understanding that new http aaa authentication commands were added) we cant get this thing to let him in without prompting him for a password. I understand this was an insecure config to begin with so I shouldn't be advocating using it in the first place, but this is what the customer wants.
Basically what I'm trying to figure out is are we banging our heads into the wall for nothing as the "ip http server" will not allow an authentication method of "none" anyway? None of the offical documentation I have read for the http aaa authentication cmds shows this as an example nor have I found any blog posts on how to do it ether. So is it even possible? Perhaps Cisco removed this by design.. does anyone know?
Here is the config:
aaa new model
aaa authentication login default local
aaa authentication enable default none
aaa authentication login none none
ip http server
ip http authentication aaa login-authentication none
IOS ver: c3750-ipbase-mz.122-50.SE5.bin
-----------------------------------------------------------------------------------------------
I've also tried changing the config around (to no avail) to be:
aaa authentication login default none
ip http authentication aaa login-authentication default
Any ideas?
Thanks everyone.
12-30-2011 12:00 PM
Hello Kevin,
It seems that you are referring to the following bug:
"Symptom:
You may get into the switch via http without a username or password
Start out with a blank config.
Put an ip address on a vlan so that you can ping the 3750.
Then enter the following commands and nothing else
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
At this point you will be able to access the switch via http and modify the config. But, you will not be able to access it via telnet.
Workaround:
Make sure that you have a enable password on the box and /or the correct ip http auth command."
However, we cannot trigger the above behavior anymore on newer IOS releases. A username/password or atleast "enable" password is needed on newer IOS versions in order to access the Switch GUI (HTTP) interface.
I have tested this on my lab with multiple variations on the configuration commands always getting a username/password prompt and not letting me in if leaving blank fields on the prompt.
Hope this helps.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide