Core issue
Cisco routers permit a user to connect to a router using HTTP. You must explicitly enable this functionality and also implement the security mechanism to permit such connections.
After using HTTP to log in to the router, the user is prompted for the username and password. After the authentication and authorization, the user is given a certain privilege level. That privilege could also allow the user to execute a certain set of specified user commands.
Note: Before implementing the procedures in this case, refer to Cisco Security Advisory on IOS HTTP Authorization Vulnerability.
Resolution
This is a sample configuration of TACACS+ authentication with Cisco IOS Software Releases 11.3.3.T to 12.0.5.T:
aaa new-model !---Enable Authentication, Authorization and Accounting (AAA). aaa authentication login default tacacs+ aaa authorization exec default tacacs ip http server !--- Enable HTTP connectivity to the router. ip http authentication aaa|tacacs !---Specify AAA or TACACS authentication for HTTP connections. !---You can use either AAA or TACACS for these versions of Cisco IOS Software. tacacs-server host 171.68.118.101 !--- Specify the TACACS server IP address. tacacs-server key cisco
privilege exec L7 clear line !---Change the clear line command to a privilege Level 7 (L7) command. !---This example shows how users can be restricted from executing certain commands.
This is a sample configuration of TACACS+ authentication with Cisco IOS Software Releases 11.3.3.T to 12.0.5.T and later:
aaa new-model !---Enable AAA. aaa authentication login default group tacacs+ aaa authorization exec default group tacacs+ !---By default, use TACACS+ authentication and authorization. ip http server !--- Enable HTTP connectivity to the router. ip http authentication aaa !---Specify local authentication for HTTP connections. tacacs-server host 171.68.118.101 !--- Specify the TACACS+ server IP address. tacacs-server key cisco !--- Specify the TACACS+ server key. This must match the key on the server.
privilege exec L7 clear line !---Change the clear line command to a privilege L7 command. !---This example shows how users can be restricted from executing certain commands.
This output was obtained from the Cisco Secure ACS for Windows (ACS) server:
# ./ViewProfile -p 9900 -u one User Profile Information user = one{ profile_id = 27 profile_cycle = 1 password = clear "********" default service=permit service=shell { set priv-lvl=15 } } # ./ViewProfile -p 9900 -u two User Profile Information user = two{ profile_id = 28 profile_cycle = 1 password = clear "********" service=shell { set priv-lvl=15 } } # ./ViewProfile -p 9900 -u three User Profile Information user = three{ profile_id = 29 profile_cycle = 1 password = clear "********" default service=permit } # ./ViewProfile -p 9900 -u four User Profile Information user = four{ profile_id = 30 profile_cycle = 1 password = clear "********" default service=permit service=shell { set priv-lvl=7 } }
The users configured in this example experience this behavior when they attempt to connect:
Note: Ensure that the users are appropriately configured on the TACACS+ server. For more information, refer to the server documentation.
- User one:
- The user passes Web authorization if the URL is entered as http://#.#.#.#.
- After a Telnet to the router, the user can perform all commands after login authentication.
- The user is in enable mode after login (show privilege is Level 15 [L15]).
- If command authorization is added to the router, the user still succeeds in all commands.
- User two:
- The user passes Web authorization if the URL is entered as http://#.#.#.#.
- After Telnet to the router, user can perform all commands after login authentication.
- User is in enable mode after login (show privilege is L15).
- If command authorization is added to the router, user fails all the commands, as the server configuration does not authorize them.
- User three:
- User fails Web authorization for not having a privilege level.
- After Telnet to the router, user can perform all commands after login authentication.
- User is in non-enable mode after login (show privilege is Level 1 [L1]).
- If command authorization is added to the router, user still succeeds in all commands.
- User four:
- User passes Web authorization if URL is entered as http://#.#.#.#/level/7/exec.
- L1 commands plus the L7 clear line command appear.
- After Telnet to the router, user can perform all commands after login authentication.
To address HTTP authentication problems, issue one of these commands:
- debug aaa authentication: Displays information on AAA and TACACS+ authentication.
- debug aaa authorization: Displays information on AAA and TACACS+ authorization.
- debug tacacs: Displays information associated with TACACS.
- debug ip http authentication: Displays the authentication method the router attempted and authentication-specific status messages.
For more information, refer to Sample Configuration: Local Authentication for HTTP Server Users.