Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2649
Views
1
Helpful
3
Replies

We need to enable HTTP and HTTPS on NAD (access switches) for posture but as per hardening standard we have to disable HTTP and HTTPS. Kindly suggest how to enable HTTP and HTTPS in secured manner, because customer is reluctant to enable http and https as

Go to solution
ankverma
Cisco Employee
Cisco Employee

‎01-02-2017 04:54 AM

We need to enable HTTP and HTTPS on NAD (access switches) for posture but as per hardening standard we have to disable HTTP and HTTPS. Kindly suggest how to enable HTTP and HTTPS in secured manner, because customer is reluctant to enable http and https as it will red flagged in their audits.

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to ankverma

‎01-03-2017 08:04 AM

The HTTP web redirect is a Cisco switch feature so please seek support from the Cisco switch platform team for further guidance. AFAIK setting active-session-modules to none should be able to eliminate the majority of vulnerabilities.

ISE has a up-coming feature to not relying on switch redirects. Please join ISE beta community for more details.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-02-2017 06:25 AM

HTTPS is not required for posture. For HTTP, you may add the following:

ip http active-session-modules none
0 Helpful

Go to solution
ankverma
Cisco Employee
Cisco Employee
In response to hslai

‎01-02-2017 09:59 PM

Thanks Hsing. The concern here from the customer is that they dont want to enable http or https services on the switches since this will be flagged in their Audits as a vulnerability. Our hardening guides for switches also suggests disabling http and https. For posture, we need url redirection and redirection will not work without “ip http server”.

We've suggested them to use ip http access-class as of now to only allow specific ip addresses, however for ISE posture, we need to enable all internal IP addresses which again is a concern with customer.

The question is how we can avoid this since the customer is not willing to enable http on the switches.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to ankverma

‎01-03-2017 08:04 AM

The HTTP web redirect is a Cisco switch feature so please seek support from the Cisco switch platform team for further guidance. AFAIK setting active-session-modules to none should be able to eliminate the majority of vulnerabilities.

ISE has a up-coming feature to not relying on switch redirects. Please join ISE beta community for more details.

0 Helpful
Customers Also Viewed These Support Documents