Enabling Secure HTTP (HTTPS) Access to a Router

Problem

You want to configure and monitor your router using an encrypted browser interface.

Solution

To enable secure HTTP (HTTPS) access to a router, use the ip http secure-server command:

Core#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Core(config)#ip http secure-server
Core(config)#end
Core#

Cisco introduced secure HTTP access feature in IOS Version 12.2(14)S.

Discussion

The Secure HTTP feature provides you with a secure and encrypted method to access the router via a web browser using Secure Sockets Layer and Transport Layer Security. This prevents HTTP sessions from being intercepted or attacked.

By default, the router creates a self-signed digital certificate that is required for secure access. The router adds the digital certificate to its configuration:

Router2#show running-config | section crypto
crypto pki trustpoint TP-self-signed-2618906780
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2618906780
 revocation-check none
 rsakeypair TP-self-signed-2618906780
crypto pki certificate chain TP-self-signed-2618906780
 certificate self-signed 01
 3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
 69666963 6174652D 32363138 39303637 3830301E 170D3036 30313235 31373031 
 32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 36313839 
 30363738 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
 8100E12C BF2F0F2D 3FA6AAEC 6538D47B FF4A4129 2BE28AFE F1880962 659D06DC 
 82992F38 4DDBC544 A071D74F AF503DC7 14C0EF28 7D03D6BA 4AD3D122 184034FF 
 FBDE5616 0246528A 83B8E0BA 70C2FC46 605DA522 BC85B1F3 AD47E133 6C2CE562 
 669048DB 7378B44A 5999D087 CDA95F74 9E073880 975FEA58 8B0B75EA AA62F996 
 CDEB0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603 
 551D1104 17301582 13526F75 74657232 2E696A62 726F776E 2E636F6D 301F0603 
 551D2304 18301680 1475B543 CAC80FB1 63018DD7 4A81D46A 03DF023B 35301D06 
 03551D0E 04160414 75B543CA C80FB163 018DD74A 81D46A03 DF023B35 300D0609 
 2A864886 F70D0101 04050003 81810070 5D025E22 B4120D0A BD1D2E33 904B198F 
 D9E57BB0 55C90C11 8882A727 9DC42D5F 86619446 1AF7BA53 5DDEDCB5 3B32B70D 
 0AFCBCE0 77EC5A50 B0428E89 656C641B F2A6A0E9 CEA331EE 9404F527 40BD66FB 
 D30791B9 92BAB053 465FB50C 8C7D8B74 9926ED58 5881A515 7199D397 B69D385F 
 329EC47B 9850E063 B4AC318D 76DC9D
 quit
Router2#

If this command doesn't show any self-signed certificates, you can generate them using the command crypto key generate rsa. We disscuss this command in more detail in Recipe 3.20.

It is a good idea to explicitly disable the HTTP server to ensure that only encrypted HTTP sessions are permitted once secure HTTP is enabled. To do so, use the no ip http server command to disable the HTTP server:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip http secure-server
Router2(config)#no ip http server
Router2(config)#end
Router2#

By default, the secure HTTP server uses port 443. To change the secure server port, use the following command:

Router2#configure terminal  
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip http secure-port 8080 
Router2(config)#end 
Router2#

In this example, we changed the secure HTTP port from 443, the default, to port 8080. You can set the secure port to most any unused port number; however, the HTTP and secure HTTP servers cannot be configured to use the same port.

If you do change the secure HTTP port number, then you need to explicitly specify the new port number in the browser's URL. For example: https://router1.oreilly.com:8080, where 8080 is the new port number of the secure server.

To view the secure HTTP configuration status, use the show ip server command:

Router2#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 8080
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint: 
HTTP secure server active session modules: ALL
Router2#

As you can see from the output of the show command, the secure server is enabled and is configured to use port 8080. Also, notice that client authentication is currently disabled. Secure HTTP client authentication is enabled by using the same method as the HTTP server. See Recipe 2.8 for more information on enabling HTTP authentication.

See Also

Recipe 2.8; Recipe 3.20

Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net