Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3214
Views
0
Helpful
1
Replies

ip http server (with no authentication)

KEVIN DELANEY
Level 1
Level 1

‎12-30-2011 11:31 AM - edited ‎03-10-2019 06:40 PM

Hi Everyone,

I have an interesting dilemma. I have a customer who used to own a 3750 with a older version of IOS. The switch he had used a three year old version of IOS which allowed him to browse to the switch IP and manage it via HTTP without entering a password at all. Now that he has a replacement switch with a new ver of IOS (since the previous switch died). We slapped the config on from the old switch but no matter what we do (understanding that new http aaa authentication commands were added) we cant get this thing to let him in without prompting him for a password. I understand this was an insecure config to begin with so I shouldn't be advocating using it in the first place, but this is what the customer wants.

Basically what I'm trying to figure out is are we banging our heads into the wall for nothing as the "ip http server" will not allow an authentication method of "none" anyway? None of the offical documentation I have read for the http aaa authentication cmds shows this as an example nor have I found any blog posts on how to do it ether. So is it even possible? Perhaps Cisco removed this by design.. does anyone know?

Here is the config:

aaa new model

aaa authentication login default local

aaa authentication enable default none

aaa authentication login none none

ip http server

ip http authentication aaa login-authentication none

IOS ver: c3750-ipbase-mz.122-50.SE5.bin

-----------------------------------------------------------------------------------------------

I've also tried changing the config around (to no avail) to be:

aaa authentication login default none

ip http authentication aaa login-authentication default

Any ideas?

Thanks everyone.

Labels:
0 Helpful
1 Reply 1

camejia
Level 3
Level 3

‎12-30-2011 12:00 PM

Hello Kevin,

It seems that you are referring to the following bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsb59717

"Symptom:

You may get into the switch via http without a username or password

Start out with a blank config.

Put an ip address on a vlan so that you can ping the 3750.

Then enter the following commands and nothing else

aaa new-model

aaa authentication login default local

aaa authorization exec default local

aaa session-id common

At  this point you will be able to access the switch via http and modify  the config.  But, you will not be able to access it via telnet.

Workaround:

Make sure that you have a enable password on the box and /or the correct ip http auth command."

However, we cannot trigger the above behavior anymore on newer IOS releases. A username/password or atleast "enable" password is needed on newer IOS versions in order to access the Switch GUI (HTTP) interface.

I have tested this on my lab with multiple variations on the configuration commands always getting a username/password prompt and not letting me in if leaving blank fields on the prompt.

Hope this helps.

Regards.

0 Helpful
Customers Also Viewed These Support Documents