07-16-2024 11:51 AM
Hi,
There is a vulnerability on ip identd for Cisco IOS and IOS-XE. However, when I tried configuring "no ip identd", switch return invalid command. Latest version of CIS benchmark released in Jun 24 are still checking on this command and with the audit file, Compliance scan flagged out as non-compliant since no ip identd is missing..
Is there any documentation that state of this command being deprecated? My Compliance Team is requesting for official documentation to prove that it is indeed no longer available on switch.
Thank you.
07-16-2024 12:03 PM
https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20190925-identd-dos.html
Ios xe must support this command as link above
MHM
07-16-2024 12:56 PM - edited 07-16-2024 12:57 PM
Hello @x1nwei ,
the link provided by @MHM Cisco World says the ip identd is disabled by default.
you can try to use
show run all | inc identd
this to demonstrate the service is disabled with default configuration.
Hope to help
Giuseppe
07-17-2024 05:46 PM
Hi @MHM Cisco World and @Giuseppe Larosa,
Thanks and appreciate the replies provided.
The link provided and also CIS benchmark is the reason why I am trying to disable ip identd.
I performed show run all and looked at every line and there is no ip identd command in it..
rgds,
jason
07-18-2024 12:26 PM
Hello @x1nwei ,
What IOS XE version is running on the Catalyst 9300 ?
it looks like the command has been removed if you don't see it in the show run all
Hope to help
Giuseppe
07-18-2024 03:34 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide