Georg,

I removed the enable password, and the web auth still comes up.

-Billy

Hello,

this used to be a bug in 12.x, I think they 'fixed' it in 15.x:

HTTP should deny access if no enable password is configured
CSCse85652
Description
Symptom:
The Cisco IOS HTTP server and the Cisco IOS HTTPS server provide web server
functionality to be used by other Cisco IOS features that require it to
function.
For example, embedded device managers available for some Cisco IOS devices need
the Cisco IOS HTTP server or the Cisco IOS HTTPS server to be enabled as a
prerequisite.

One of the functionalities provided by the Cisco IOS HTTP server and the Cisco
IOS HTTPS server is the WEB_EXEC module, which is the HTTP-based IOS EXEC
Server.
The WEB_EXEC module allows for both "show" and "configure" commands to be
executed
on the device through requests sent over the HTTP protocol.

Both the Cisco IOS HTTP server and the Cisco IOS HTTPS server use the locally
configured enable password (configured by using the enable
password or
enable secret commands) as the default authentication
mechanism
for any request received. Other mechanisms can also be configured to
authenticate
requests to the HTTP or HTTPS interface. Some of those mechanisms are the local
user database, an external RADIUS server or an external TACACS+ server.

If an enable password is not present in the device configuration, and no other
mechanism has been configured to authenticate requests to the HTTP interface,
the Cisco IOS HTTP server and the Cisco IOS HTTPS server may execute any
command
received without requiring authentication. Any commands up to and including
commands that require privilege level 15 might then be executed on the device.
Privilege level 15 is the highest privilege level on Cisco IOS devices.

Conditions:
For a Cisco IOS device to be affected by this issue all of the following
conditions must be met:

* An enable password is not present in the device configuration
* Either the Cisco IOS HTTP server or the Cisco IOS HTTPS server is enabled
* No other authentication mechanism has been configured for access to the Cisco
IOS HTTP server or Cisco IOS HTTPS server. Such mechanisms might include the
local user database, RADIUS (Remote Authentication Dial In User Service), or
TACACS+ (Terminal Access Controller Access-Control System)

The Cisco IOS HTTP server is enabled by default on some Cisco IOS releases.

Workaround:
Any of the following workarounds can be implementd:

* Enabling authentication of requests to the Cisco IOS HTTP Server or the
Cisco IOS HTTPS server by configuring an enable password

Customers requiring the functionality provided by the Cisco IOS HTTP server
or the Cisco IOS HTTPS server must configure an authentication mechanism for
any requests received. One option is to use the enable
password
or enable secret commands to configure an enable password.
The enable password is the default authentication mechanism used by both the
Cisco IOS HTTP server and the Cisco IOS HTTPS server if no other method has
been configured.

In order to configure an enable password by using the enable
secret
command, add the following line to the device configuration:

enable secret mypassword

Replace mypassword with a strong password of your choosing.
For
guidance on selecting strong passwords, please refer to your site security
policy.
The document entitled "Cisco IOS Password Encryption Facts" explains the
differences between using the enable secret and the
enable password commands to configure an enable password.
This document is available at the following link:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00809d38a7.sht
ml

* Enabling authentication of requests to the Cisco IOS HTTP Server or the Cisco
IOS HTTPS server by configuring an authentication mechanism other than the
default

Configure an authentication mechanism for access to the Cisco IOS HTTP server
or the Cisco IOS HTTPS server other than the default. Such authentication
mechanism can be the local user database, an external RADIUS server, an
external
TACACS+ server or a previously defined AAA (Authentication, Authorization and
Accounting) method. As the procedure to enable an authentication mechanism for
the Cisco IOS HTTP server and the Cisco IOS HTTPS server varies across Cisco
IOS
releases and considering other additional factors, no example will be provided.
Customers looking for information about how to configure an authentication
mechanism for the Cisco IOS HTTP server and for the Cisco IOS HTTPS server are
encouraged to read the document entitled "AAA Control of the IOS HTTP Server",
which is available at the following link:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.sht
ml

* Disabling the Cisco IOS HTTP Server and/or the Cisco IOS HTTPS server
functionality

Customers who do not require the functionality provided by the Cisco IOS HTTP
server or the Cisco IOS HTTPS server can disable it by adding the following
commands to the device configuration:

no ip http server
no ip http secure-server

The second command might return an error message if the Cisco IOS version
installed and running on the device does not support the HTTPS server feature.
This error message is harmless and can safely be ignored.

Please be aware that disabling the Cisco IOS HTTP server or the Cisco IOS HTTPS
server may impact other features that rely on it. As an example, disabling the
Cisco IOS HTTP server or the Cisco IOS HTTPS server will disable access to any
embedded device manager installed on the device.

Further Problem Description:
In addition to the explicit workarounds detailed above it is highly recommended
that customers limit access to Cisco IOS HTTP server and the Cisco IOS HTTPS
server to only trusted management hosts. Information on how to restrict access
to the Cisco IOS HTTP server and the Cisco IOS HTTPS server based on IP
addresses
is available at the following link:
http://www.cisco.com/en/US/docs/ios-xml/ios/https/configuration/12-4/nm-http-
web.html#GUID-BB57C0D5-71DB-47C5-9C11-8146773D1127

Customers are also advised to review the "Management Plane" section of the
document
entitled "Cisco Guide to Harden Cisco IOS Devices" for additional
recommendations
to secure management connections to Cisco IOS devices. This document is
available
at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120
f48.shtml

Customer Visible

Notifications

Save Bug

Open Support Case
Was the description about this Bug Helpful?(0)
Details
Last Modified:
Aug 9,2017
Status:
Fixed
Severity:
3 Moderate
Product: (11)
Cisco IOS
Cisco Catalyst 4500 Series Supervisor Engine V-10GE
Cisco Catalyst 4948 10 Gigabit Ethernet Switch
Cisco Catalyst 4500 Series Supervisor Engine II-Plus-TS
Cisco ME 4924-10GE Switch
Cisco Catalyst 4948 Switch
Cisco Catalyst 4500 Series Supervisor Engine II-Plus
Cisco Catalyst 4500 Supervisor Engine 6-E
Cisco Catalyst 4000/4500 Supervisor Engine V
Cisco Catalyst 4000/4500 Supervisor Engine IV
Cisco Catalyst 4500 Series Supervisor II-Plus-10GE
Support Cases:
5
Known Affected Releases: (3)
12.2(40)SG
12.2SE
12.3
Known Fixed Releases: (40)
15.2(6.3.0i)E
15.2(6.2.17i)E
15.2(6.0.21i)E
15.2(5.1.57i)E
15.2(5.0)ST
15.2(4.0.64a)E
15.2(4.0.0)E
15.2(4.0)ST
15.2(2.2.70)ST
15.2(1.30)PSR