Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2355
Views
0
Helpful
4
Replies

Set enable password on Cisco IE 1000 switch for Nessus scan

ciscoCommunity
Level 1
Level 1

‎04-03-2019 12:06 PM

To run a Nessus scan using password method you specify a non-privileged username/password and supply the "enable" password.

 

The IE 1000 allows you to set a user either as admin or not admin, it does not allow you to specify a separate enable password - or I have not figured it out.

 

When I attach via ssh to the IE 1000 as an admin user - I can show running config but I cannot configure (using "conf t") the switch.

 

Normally, for a minimal config on a switch I want to scan, I'd set:

  - hostname,

  - ip-domain-name,

  - enable password someEnablePassword,

  - username someUser privilege 7 password 0 somePassword,

  - vty for login local and transport input ssh

and

  - execute crypto key generate mod someModValue (apparently already run by IE 1000)

 

This basic info (and Vlan 1 address, etc) allows a Nessus scan in password mode to login to the switch via SSH and present the enable password for a deep scan.

 

  I've been to numerous sites but have not seen any information on how to set these router cofig values by "conf t".

 

  Has anyone had any success using "conf t" to edit the config?

 

  Has any one learned if this is even possible?

 

Thanks!

Labels:
0 Helpful
4 Replies 4

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎04-03-2019 12:56 PM

@ciscoCommunity  hello,

 

The Cisco IOS software CLI has two levels of access to commands. User EXEC mode (privilege level 1) - Provides the lowest EXEC mode user privileges and allows only user-level commands available at the router> prompt. Privileged EXEC mode (privilege level 15) - Includes all enable-level commands at the router# prompt.3 de set de 20124

 

So, you can create a group or use with a level permission configured properly and set which type of command this user can use.

 

I hope that this link can help you: https://community.cisco.com/t5/switching/user-privileges/td-p/3079194

 

 

 

Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

Georg Pauwen
VIP
VIP

‎04-03-2019 02:07 PM

Hello,

 

I think the IE1000 has a CLI with the options below, 'enable' being one of them:

 

IE1000(config)# ?
aaa Authentication, Authorization and Accounting
access Access management
access-list Access list
aggregation Aggregation mode
alarm alarm
banner Define a login banner
default Set a command to its defaults
do To run exec commands in config mode
dot1x IEEE Standard for port-based Network Access Control
enable Modify enable password parameters
end Go back to EXEC mode
exit Exit from current mode
help Description of the interactive help system
hostname Set system's network name
interface Select an interface to configure
ip Interface Internet Protocol config commands
ipmc IPv4/IPv6 multicast configuration
ipv6 IPv6 configuration commands
json JavaScript Object Notation RPC
lacp LACP settings
line Configure a terminal line
lldp LLDP configurations.
logging System logging message
mac MAC table entries/configuration
monitor Monitoring different system events
no Negate a command or set its defaults
ntp Configure NTP
poe Power Over Ethernet.
port-security Enable/disable port security globally.
post Power On Self Test
privilege Command privilege parameters
qos Quality of Service
radius-server Configure RADIUS
rmon Remote Monitoring
snmp-server Set SNMP server's configurations
spanning-tree Spanning Tree protocol
tacacs-server Configure TACACS+
temperature Temperature
username Establish User Name Authentication
vlan VLAN commands
voice Voice appliance attributes
web Web

0 Helpful

ciscoCommunity
Level 1
Level 1
In response to Georg Pauwen

‎04-03-2019 03:06 PM

unfortunately the 1.6 verison of software does not recognize "conf" - so I cannot configure the ios even though I am in as an administrator.

I even tried downloading the running-config, modifying it and uploading it but it does not seem to take the updated file - or  I cannot see it - nor does it give you a way to activate it.

It seems this is a firly locked down configuration - only allowing changes through the web page.

 

I appreciate the feed back!

 

 

0 Helpful

JamesLi18188
Level 1
Level 1
In response to Georg Pauwen

‎02-28-2020 05:35 AM

Georg, 

I recognize you got to the IE1000(config)# prompt,  could you explain how to get to there?  

Normally when I login to IE1000, it just presents a limited CLI options,  and configure is not available. 

version: (1.6#2017-04-05T23:06:27+00:00)

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card