How is Unix Auth performed on Cisco devices?

Document created by kb-author-1 Employee on Jul 15, 2010Last modified by Simon Adams on Jun 24, 2013
Version 6Show Document
  • View in full screen mode

Issue:

 

How is Unix Auth performed on Cisco devices? And does Qualys consider that it is Cisco IOS and run other than the "normal" Unix commands?

 

Solution:

 

Maybe "Unix Auth" is not really the best term to be used because Cisco IOS is not a Unix subspecies. We use this term because to access CISCO boxes we use the same protocols/services widely available on Unix boxes: SSH and Telnet.

But once inside the Cisco IOS, the commands are completely different from the commands used on Unix command line

 

If the OS is identified to be CISCO, and there are Cisco IOS Records configured on the web interface to that specific host, the scan will try to attempt to log in using the credential provided in the related Cisco IOS Record.

 

The following commands will be used by the scanner:

 

help

show version

show running-config

show sgbp

show module

show ipv6 interface

show logging | include Syslog | Trap | Console | Monitor | Buffer logging

show clock detail

show ip ssh

show ip interface

 

Troubleshooting tips:

 

Please make sure that the user on the Cisco device has privilege level 15 (Privileged EXEC mode) or is authorized to run these commands above.

 

 

Troubleshoot SSH authentication issues:

 

To troubleshoot Cisco authentication issues please perform the following steps from a Linux/Unix or a Mac machine

 

ssh -vvv user@host

 

where %user% is the username that you defined in the related Cisco IOS record

and %host% is either the IP address or the FQDN name of the target.

 

From a Windows machine you can use 'putty' tool to test SSH or telnet connections.

 

Putty can be downloaded from: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

 

If you're unable to SSH in to the host using the username and the password you provided in the Cisco IOS authentication record then Qualys scanner also won't be able

to SSH in to the target.

 

Troubleshooting telnet authentication issues:

 

If the Cisco device only supports telnet please do a telnet test

 

telnet 1.1.1.1 23

 

Please make sure that the Cisco device is asking for a username and a password at the prompt. If the Cisco device is only asking for a Password then its configuration is not correct.

 

Please review the show running-config and make sure that the Username Authentication is configured as required on the device:

 

For more information please review Configuring Authentication's guide:

 

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfathen.html#wp1023869

1 person found this helpful

Attachments

    Outcomes