cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2650
Views
1
Helpful
3
Replies

We need to enable HTTP and HTTPS on NAD (access switches) for posture but as per hardening standard we have to disable HTTP and HTTPS. Kindly suggest how to enable HTTP and HTTPS in secured manner, because customer is reluctant to enable http and https as

ankverma
Cisco Employee
Cisco Employee

We need to enable HTTP and HTTPS on NAD (access switches) for posture but as per hardening standard we have to disable HTTP and HTTPS. Kindly suggest how to enable HTTP and HTTPS in secured manner, because customer is reluctant to enable http and https as it will red flagged in their audits.

1 Accepted Solution

Accepted Solutions

The HTTP web redirect is a Cisco switch feature so please seek support from the Cisco switch platform team for further guidance. AFAIK setting active-session-modules to none should be able to eliminate the majority of vulnerabilities.

ISE has a up-coming feature to not relying on switch redirects. Please join ISE beta community for more details.

View solution in original post

3 Replies 3

hslai
Cisco Employee
Cisco Employee

HTTPS is not required for posture. For HTTP, you may add the following:

ip http active-session-modules none

Thanks Hsing. The concern here from the customer is that they dont want to enable http or https services on the switches since this will be flagged in their Audits as a vulnerability. Our hardening guides for switches also suggests disabling http and https. For posture, we need url redirection and redirection will not work without “ip http server”.

We've suggested them to use ip http access-class as of now to only allow specific ip addresses, however for ISE posture, we need to enable all internal IP addresses which again is a concern with customer.

The question is how we can avoid this since the customer is not willing to enable http on the switches.

The HTTP web redirect is a Cisco switch feature so please seek support from the Cisco switch platform team for further guidance. AFAIK setting active-session-modules to none should be able to eliminate the majority of vulnerabilities.

ISE has a up-coming feature to not relying on switch redirects. Please join ISE beta community for more details.