Catalyst 3560/2960 Web-user management

M Zeeshan Siddique · ‎06-08-2011

Hi Guys,

We have quite a few 3560 & 2960 on our edge network - what I have been looking at was to access switches via web-interface i.e. web-browser. Only problem with this is it always gives you access on privilige level 15 which is not ideal as not all who we decide to give access to these switches will be admin and allowed to configure these swicthes - In the 3560/2960 data-sheet states:

"Alternatively, a local username and password database can be configured on the switch itself. Fifteen levels of authorization on the switch console and two levels on the Web-based management interface provide the ability to give different levels of configuration capabilities to different administrators"

Where as there is no mention of how to configure these two levels of Web-based management in the configuration guide - as of now I have really struggled to find any thing related to this on any forum - any help in how to setup this "two levels on the Web-based management interface" will be much appreciated.

Thanks in Advance

M Zeeshan Siddique

Antonio Knox · ‎06-08-2011

HTTP & HTTPS access requires privilege 15, no way around that. However........

Considering that Device Manager GUI is simply a visual overlay that pushes CLI commands to the switch, you should be able to leverage ACS for this task. Create command authorization sets for the users in question and apply it to those particular user accounts in ACS. This should prevent them from pushing commands/configurations to the switch that they are not authorized to push.

Please rate if helpful.

Florin Barhala · ‎06-08-2011

Why would you use HTTP for switch access? Either way, I suggest you using "access-class" for HTTP access; configuring authorization levels without ACS will always be a headache.

M Zeeshan Siddique · ‎06-09-2011

Cheers for the reply guys - knew that wasn't going to be simple.

Much appreciate your help.

aurorasanz · ‎12-19-2012

Hello,

I have the same problem you had. I have to configure web access for some Cisco 2960 and I have downloaded the right version with the "html" directory but when I try to access the equipment, I introduce the username and password and it does not run.

Could you please tell me if you were able to solve this and how could you do it?

I have a doubt about the flash. I have the "html" directory inside the directory of the right IOS, c2960-lanbasek9-tar.122-58.SE2.

Any comment will be very appreciated. I have to do it asap. The customer wants to have it configured.

Thank you.

aurorasanz · ‎01-11-2013

Hello,

Only to leave the answer for any other who could have the same problem. It was solved using the enable password.

Thank you.

danielciscoswart · ‎01-11-2013

It is a large security risk keeping HTTP Server enabled. But if you do... ensure you have a firewall with a ACL only allowing certain IP addresses to access the switches management vlan addresses on port 80 and you should be pretty ok.

You would have to do alot more planning surrounding the Access Switches security.

glen.grant · ‎01-11-2013

At the very least you should run "https" if you need GUI function .

aurorasanz · ‎01-11-2013

Hello everybody,

Yes, I had enabled the https, nor the http, so thanks but yes, it is better https and I had configured it.

Regarding the ACL, I will try to configure it.

Thank you!