IOS 15.1- IP HTTP access without a password

Michael Durham · ‎05-20-2019

I have a 2811 router and I have created a custom home.html page; nothing fancy. This page has links to several .pdf files and one custom support page. It all works but a password and username are required.

I would like to not need a username and password to access my custom home page as it does not execute any router commands. If I must, as username without password would also work.

However, to access the support.html custom page, a password could be required as this page does execute one router command, enabling or disabling a VPN tunnel. But, to be honest, I really do not need a password for this either.

Any suggestions?

Giuseppe Larosa · ‎05-24-2019

Hello Michael,

for security reasons I recommend to keep authentication with username/password for http access.

I am afraid you cannot disable HTTP authentication only for the custom page.

Hope to help

Giuseppe

Michael Durham · ‎05-24-2019

Is there any way to set the privilege level to 5 for IP http? That would meet my needs also. But no authorization would be better. I understand the risks.

pieterh · ‎05-27-2019

If you do not use the command "ip http authentication "command, the default authentication method is used.

The default method of authentication for the HTTP server is to use the configured "enable" password.

=> To configure HTTP access as part of a AAA policy, use the ip http authentication aaa command option. The "local", "tacacs", or "enable" authentication methods should then be configured using the aaa authentication login command.

You can create a local username with lower privilege level for this

Michael Durham · ‎05-28-2019

Its not working but here is what I did. What is missing?

My goal, two users can login and see my custom web page and open the .pdf files stored on the router's CF card (they will NOT be running any router commands) and one user having full access via telnet, ssh, and the web interface.

!
aaa new-model
!
aaa authentication login default local
aaa authentication login web local
aaa authorization exec web local
!
username dmox privilege 5 password 123456
username mowens privilege 5 password 123456
username support privilege 15 password 987654321
!
ip http server
ip http authentication aaa login-authentication web
ip http authentication aaa exec-authorization web
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:/GUI

pieterh · ‎05-28-2019

This idoes not work as intended: "aaa authentication login web local"

syntax is: ip http authentication {aaa | enable | local | tacacs}

in your line the word "web" refers to a authentication group named web (radius or tacacs+ server ), which is not defined

same for "ip http authentication aaa login-authentication web"

try this for local authentication only:

ip http authentication aaa

aaa authentication login default local

Michael Durham · ‎05-29-2019

When I try to login with user dmox and their password, the username/password box just comes right back. They never get login in. If I use the uesername support, they get in.

!
aaa new-model
aaa authentication login default local
aaa session-id common
ip http authentication aaa
!
username dmox privilege 5 password 123456
!