Re: Securing HTTP Access from Piotr Matusiak on 2010-01-23 (Ccielab archives 01/2010)

From: Piotr Matusiak <piotr_at_ccie1.com>
Date: Sat, 23 Jan 2010 10:49:32 +0100

Hi,

When you use "aaa authentication login default local" it is applied to all
lines including CON, AUX, VTY. So you don't need to specify the named method
in "ip http authentication aaa" command.
However, if you use named method like "aaa authentication login TEST local"
you need to specify that using "ip http authentication aaa
login-authentication TEST" command.

This is because you can have more than one named method configured and the
router must know which one use to authenticate HTTP users. The default
method is only one so you do not need to specify that.

BTW: you can configure the same without AAA:
!
username student privil 15 password cisco123
!
ip http server
ip http authentication local
!

HTH,

--
Piotr Matusiak
CCIE #19860 (R&S, Security)
Technical Instructor
website: www.MicronicsTraining.com
If you can't explain it simply, you don't understand it well enough -
Albert Einstein
2010/1/23 CCIE-Newbie <ccie_ka_at_gmx.de>
> Hi Group,
>
> I'm confused about securing http access to a router.
> Assume I need to secure Router 1 for http access.
> There are two different privilege level for two user.
> User A should be level 5 while user B should be level 10
>
> First off all I need to enable aaa and then set the list. My
> configuration looks as follow:
>
> aaa new-model
> aaa authentication login HTTP local
> aaa authorization exec HTTP local
> ip http server
> ip http authentication aaa login-authentication HTTP
> ip http authentication aaa exec-authorization HTTP
> no ip http secure-server
>
> aaa new-model
> aaa authentication login default local
> aaa authorization exec default local
> ip http server
> ip http authentication aaa
> no ip http secure-server
>
> If I need to specify a "list" then I also need to specify after "ip http
> authentication aaa login-authentication HTTP" and "ip http
> authentication aaa exec-authorization HTTP" !?
>
> So what is the difference between the above configurations ? Can anyone
> explain please ?
>
> Thanks
>
> Dennis
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net

Received on Sat Jan 23 2010 - 10:49:32 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:42 ART