Create Cisco records to allow the service to authenticate to Cisco devices that support the SSH protocol (SSH1 and SSH2) and telnet.
For the most current list of supported authentication technologies and the versions that have been certified for VM and PC by record type, please refer to the following article:
Authentication Technologies Matrix
|
Help me with record settings |
|||||||||||||||
|
What login credentials are required?What login credentials are required? 1) The user account you provide for authentication must have privilege level 15 (equivalent to root level privileges) on the Cisco device in order to perform all checks. Learn more about commands and privilege levels 2) We need port 22 (for SSH authentication) or port 23 (for Telnet authentication). If Telnet is the only option for the target you must select the Clear Text Password option in the record since Telnet is an insecure protocol (all information is sent in clear text). We’ll use strong password encryption for remote login, if possible, and fall back to transmitting credentials in clear text only when the Clear Text Password option is selected. 3) Your password must not include any spaces. |
|||||||||||||||
|
Is the enable password required?Is the enable password required? Note - The "enable" feature is supported for compliance scans only, not vulnerability scans. Whether or not the "enable" password is required depends on the target hosts you'll be scanning. Hosts with Cisco IOS, Cisco IOS XE and Cisco ASA - The "enable" password is required. (The "enable" command on these hosts requires a password.) Hosts with Cisco NX-OS - The "enable" password is not required. (Note - The pooled credentials feature is not supported if the "enable" command requires a password and the password is specified.) |
|||||||||||||||
|
Tell me about the Clear Text Password optionTell me about the Clear Text Password option Select to allow your user account password to be transmitted in clear text when connecting to services which do not support strong password encryption. Learn more |
|||||||||||||||
|
Tell me about the Policy Compliance optionsTell me about the Policy Compliance options The scanning engine needs to find login services in order to successfully authenticate to Unix/Cisco IOS hosts and perform compliance assessment. By default, these well-known ports are scanned: 22 (SSH), 23 (telnet) and 513 (rlogin). Any one of these services is sufficient for authentication. If services (SSH, telnet, rlogin) are not running on well-known ports for the hosts you will be scanning, then you must define a custom ports list. Note: The actual ports scanned also depends on the Ports setting in the compliance option profile used at scan time. Tell me more about scanned portsTell me more about scanned ports If Standard Scan is selected in the compliance profile, then these ports will be scanned: the standard ports list (about 1900 ports) provided by the service, including ports 22, 23 and 513, plus the custom ports specified in the authentication record. If Targeted Scan is selected in the compliance profile, then these ports will be scanned: the custom ports specified in the authentication record only (no other ports). Refer to the table below:
|
|||||||||||||||
|
Which IPs should I add to my record?Which IPs should I add to my record? Select the target hosts (IPs) to authenticate to. The IPs you include in this record cannot also be included in a Unix or Checkpoint Firewall record. |
|||||||||||||||
|
For Cisco authentication, we support integration with multiple third party password vaults. Just go to Scans > Authentication > Vaults and tell us about your vault system. Then choose Authentication Vault in your record, select your vault name and provide vault settings. At scan time, we'll authenticate to hosts using the account name in your record and the password we find in your vault. Vault Configuration for Compliance Scans You must configure the user account in such a way that the "enable" command enters the privileged shell automatically without prompting for a 2nd password. This is because the supported vaults only store a single password in a file. |
|||||||||||||||
|
TACACS server supportTACACS server support Password based authentication to a TACACS server is supported. This server follows the SSH user authentication specification. |
|||||||||||||||
|
Important Notes for Unit ManagersImportant Notes for Unit Managers When a Unit Manager edits a record, the Unit Manager only sees the IPs in the record that they have permission to. Any changes made by the Unit Manager to the record settings will apply to all hosts defined in the record, regardless of whether all hosts belong to the user's business unit. The record may contain more IPs that are not visible to the Unit Manager. |
The password you provide for authentication must not include any spaces.