Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5123
Views
0
Helpful
25
Replies

Restricted Web GUI Access & Login Reset on Cisco 3650

BashedRoot
Level 2
Level 2

‎04-19-2017 02:38 PM - edited ‎03-08-2019 10:15 AM

Hello,

1. How do I put IP access restriction on the web GUI panel? I already have IP access restrictions set on SSH access to a couple of my local IPs, but I also want to apply the same security measure on the web GUI as well.

2. I cannot log into the web GUI on switch #1, but can on switch #2. How do I reset the user's pw for the first switch? It's odd, because they're both the same user/pw and saved in my password manager.

3. How do I also enable secure https for web access?

Thanks in advance.

Labels:
0 Helpful
25 Replies 25

Dennis Mink
VIP Alumni
VIP Alumni

‎04-19-2017 03:24 PM

see my answers below:

ip http authentication local  is that is wat you are using then change the username <blah> password <blah1>  statement in the switch;s config

2  ip http access-class <number>   and configure an access list that permits http from certain sources

3     ip http server-secure will set it up for https 

Please rate if useful

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

BashedRoot
Level 2
Level 2
In response to Dennis Mink

‎04-19-2017 03:35 PM

Could you please provide actual full command examples? I'm on a learning curve here.

0 Helpful

BashedRoot
Level 2
Level 2
In response to Dennis Mink

‎04-26-2017 01:29 PM

Would appreciate help on this. Thank you.

0 Helpful

BashedRoot
Level 2
Level 2

‎05-02-2017 11:49 AM

Anyone, please? :)

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to BashedRoot

‎05-02-2017 11:57 AM

1. ip http authentication local
     ip http access-class [ACL number [same as your vty acl]] e.g ip http access-class 10

2. no username bob
    username bob secret [new password]

3.  ip http server-secure

Anything in  [brackets] requires your input


Copied from Dennis so all the credit goes to him.

0 Helpful

BashedRoot
Level 2
Level 2
In response to Collin Clark

‎05-02-2017 12:12 PM

Thanks, but stuck on 2 steps.

Why does it say "CLI will be deprecated soon"?

1. Web GUI is still not secured mode.

2. I can still access web gui from any IP.

Cisco3650(config)#ip http access-class 10 
This CLI will be deprecated soon, Please use new CLI 'ip http access-class ipv4 <1-99> | <access-list-name>'
Cisco3650(config)#ip http server-secure
                                ^
% Invalid input detected at '^' marker.

Cisco3650(config)#ip http server secure
                                 ^
% Invalid input detected at '^' marker.
0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to BashedRoot

‎05-03-2017 11:22 AM

It just alerting you that the command will change allowing for both IPv4 and IPv6.

What does your ACL 10 have in it? 

If you can't enable http server-secure then you probably don't have a crypto image. Post a show version and we can tell for sure.

0 Helpful

BashedRoot
Level 2
Level 2
In response to Collin Clark

‎05-03-2017 11:49 AM

Ok thanks, here's the info.

The access list is extended 101 that I tried to use but got an error shown below.

Cisco3650(config)#ip http authentication local
Cisco3650(config)#ip http access-class extended 101
                                       ^
% Invalid input detected at '^' marker.

Cisco3650(config)#ip http access-class 101         
                                         ^
% Invalid input detected at '^' marker.
Cisco3650#show access-list
Standard IP access list 1
    10 permit xxx
Extended IP access list 101
    10 permit tcp host xxx.xxx.197.25 host xxx.xxx.19.52 eq www
    20 permit tcp host xxx.xxx.197.25 host xxx.xxx.19.52 eq 443
Extended IP access list 115
    10 permit tcp host xxx.xxx.33.6 host 0.0.0.0 eq 22
Extended IP access list AutoQos-4.0-wlan-Acl-Bulk-Data
    10 permit tcp any any eq 22
    20 permit tcp any any eq 465
    30 permit tcp any any eq 143
    40 permit tcp any any eq 993
    50 permit tcp any any eq 995
    60 permit tcp any any eq 1914
    70 permit tcp any any eq ftp
    80 permit tcp any any eq ftp-data
    90 permit tcp any any eq smtp
    100 permit tcp any any eq pop3
Extended IP access list AutoQos-4.0-wlan-Acl-MultiEnhanced-Conf
    10 permit udp any any range 16384 32767
    20 permit tcp any any range 50000 59999
Extended IP access list AutoQos-4.0-wlan-Acl-Scavanger
    10 permit tcp any any range 2300 2400
    20 permit udp any any range 2300 2400
    30 permit tcp any any range 6881 6999
    40 permit tcp any any range 28800 29100
    50 permit tcp any any eq 1214
    60 permit udp any any eq 1214
    70 permit tcp any any eq 3689
    80 permit udp any any eq 3689
    90 permit tcp any any eq 11999
Extended IP access list AutoQos-4.0-wlan-Acl-Signaling
    10 permit tcp any any range 2000 2002
    20 permit tcp any any range 5060 5061
    30 permit udp any any range 5060 5061
Extended IP access list AutoQos-4.0-wlan-Acl-Transactional-Data
    10 permit tcp any any eq 443
    20 permit tcp any any eq 1521
    30 permit udp any any eq 1521
    40 permit tcp any any eq 1526
    50 permit udp any any eq 1526
    60 permit tcp any any eq 1575
    70 permit udp any any eq 1575
    80 permit tcp any any eq 1630
    90 permit udp any any eq 1630
    100 permit tcp any any eq 1527
    110 permit tcp any any eq 6200
    120 permit tcp any any eq 3389
    130 permit tcp any any eq 5985
    140 permit tcp any any eq 8080
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
    100 deny udp any any eq domain
    101 deny tcp any any eq domain
    102 deny udp any eq bootps any
    103 deny udp any any eq bootpc
    104 deny udp any eq bootpc any
    105 permit tcp any any eq www
Extended IP access list IP-Adm-V4-Int-ACL-global
    10 permit tcp any any eq www
    20 permit tcp any any eq 443
Extended IP access list Manage-SSH
    20 permit tcp host xxx.xxx.33.6 host 0.0.0.0 eq 22 (4 matches)
    30 permit tcp any host 69.114.107.75 eq 22
    40 permit tcp host xxx.xxx.127.10 host 0.0.0.0 eq 22 (68 matches)
    50 permit tcp host xxx.xxx.197.25 host 0.0.0.0 eq 22 (82 matches)
Extended IP access list preauth_v4 (per-user)
    10 permit udp any any eq domain
    20 permit tcp any any eq domain
    30 permit udp any eq bootps any
    40 permit udp any any eq bootpc
    50 permit udp any eq bootpc any
    60 deny ip any any
IPv6 access list preauth_v6 (per-user)
    permit udp any any eq domain sequence 10
    permit tcp any any eq domain sequence 20
    permit icmp any any nd-ns sequence 30
    permit icmp any any nd-na sequence 40
    permit icmp any any router-solicitation sequence 50
    permit icmp any any router-advertisement sequence 60
    permit icmp any any redirect sequence 70
    permit udp any eq 547 any eq 546 sequence 80
    permit udp any eq 546 any eq 547 sequence 90
    deny ipv6 any any sequence 100

SHOW VERSION

Cisco3650#show version 
Cisco IOS Software [Denali], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.3.1a, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Thu 29-Sep-16 22:08 by mcpre


Cisco IOS-XE software, Copyright (c) 2005-2016 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.


ROM: IOS-XE ROMMON
BOOTLDR: CAT3K_CAA Boot Loader (CAT3K_CAA-HBOOT-M) Version 3.76, RELEASE SOFTWARE (P)

Cisco3650 uptime is 28 weeks, 6 days, 19 hours, 1 minute
Uptime for this control processor is 28 weeks, 6 days, 19 hours, 4 minutes
System returned to ROM by reload at 18:48:20 EST Wed Oct 12 2016
System image file is "flash:packages.conf"
Last reload reason: Reload Command



This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.


Technology Package License Information: 

-----------------------------------------------------------------
Technology-package                   Technology-package
Current             Type             Next reboot  
------------------------------------------------------------------
ipbasek9            Permanent        ipbasek9

cisco WS-C3650-24TS (MIPS) processor (revision N0) with 866081K/6147K bytes of memory.
Processor board ID FDO2027E0M9
26 Virtual Ethernet interfaces
28 Gigabit Ethernet interfaces
2048K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
252000K bytes of Crash Files at crashinfo:.
1611414K bytes of Flash at flash:.
0K bytes of  at webui:.
0K bytes of Dummy USB Flash at usbflash0:.

Base Ethernet MAC Address          : 
Motherboard Assembly Number        : 73-15898-06
Motherboard Serial Number          : 
Model Revision Number              : N0
Motherboard Revision Number        : A0
Model Number                       : WS-C3650-24TS
System Serial Number               : 


Switch Ports Model              SW Version        SW Image              Mode   
------ ----- -----              ----------        ----------            ----   
*    1 28    WS-C3650-24TS      16.3.1            CAT3K_CAA-UNIVERSALK9 INSTALL


Configuration register is 0x102
0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to BashedRoot

‎05-04-2017 06:11 AM

You have the crypto image, so you are good there. Lets get HTTP working then we'll move over to HTTPS.

For HTTP access you cannot use an extended acl, it must be a standard acl (1-99).

0 Helpful

BashedRoot
Level 2
Level 2
In response to Collin Clark

‎05-04-2017 08:54 AM

Ok thank you, got the web gui locked in, but can't seem to edit the access list at all. I need to remove one old IP and add a new one, but something is wrong with my commands apparently.

Old IP

Standard IP access list 1
    10 permit xxx.xxx.198.134

Ran:

Cisco3650(config)#no ip access-list standard xxx.xxx.198.134

How do I remove the above and add a new one?

From there, I then need to figure out that https protocol issue with the web gui.

Thanks again.

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to BashedRoot

‎05-04-2017 10:31 AM

Try this-

access-list 1 permit host xxx.xxx.198.134

0 Helpful

BashedRoot
Level 2
Level 2
In response to Collin Clark

‎05-04-2017 11:33 AM

Got the access list worked out, thanks.

Now need to figure out the https web gui issue.

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to BashedRoot

‎05-04-2017 01:01 PM

Good. Do you see SSH keys from the following command?

show crypto key rsa mypubkey

0 Helpful

BashedRoot
Level 2
Level 2
In response to Collin Clark

‎05-04-2017 01:10 PM

Cisco3650#show crypto key rsa mypubkey
                          ^
% Invalid input detected at '^' marker.

0 Helpful
Customers Also Viewed These Support Documents