We help IT Professionals succeed at work.

SSL - QUERY

mikey250
mikey250 asked
on
Hi
Qns1. Im confused I thought the command 'ssl' was added at the 'line vty 0 4' stage - used for enabling via a browser: https://x.x.x.x.x - ?


Qns2. Although in order to setup a connection via a browser for a Cisco 837 is as below:?

Enable the router's HTTP/HTTPS server, using the following Cisco IOS commands:  
Router(config)# ip http server
Router(config)# ip http secure-server
Router(config)# ip http authentication local

Note:- HTTPS is enabled only for crypto enabled IOS images.
Create a user with privilege level 15.
Router(config)# username <username> privilege 15 password 0 <password>

Note:- Replace <username> and <password> with the username and password that you want to configure.

Configure SSH and Telnet for local login and privilege level 15:
Router(config)# line vty 0 4
Router(config-line)# privilege level 15
Router(config-line)# login local
Router(config-line)# transport input telnet
Router(config-line)# transport input telnet ssh
Router(config-line)# exit

(Optional) Enable local logging to support the log monitoring function:  
Router(config)# logging buffered 51200 warning
Comment
Watch Question

Commented:
I think you're getting confused between SSH and SSL.

Secure Shell (SSH) is configured in line vty and enables or forces encrypted terminal traffic.

Secure Sockets Layer (SSL) can be used by other services to encrypt traffic. The router provides a web server using http or secure http using SSL, but these services are made to run by enabling them.

Author

Commented:
Yes you are correct as Ive mentioned this in main thread. Apologies for confusion.!!

Qns1. So both 'SSH & SSL' which are different encryption types, but are configured in 'line vty 0 4' for eg ?

Qns2.  What are the complete configurations for 'SSL' ?

Commented:
There's two methods of getting configuration access to the router.
The first uses virtual terminal lines, which when you configure for incoming connections you also need to list the protocols used. Telnet is the usual and if you want the traffic secure and the IOS supports it, you also include or just have SSH. This will give you access to the Command Line Interface (CLI).

The second method is via a web server which is a different service altogether. It uses http and enabled with:
ip http server
For the traffic to be secure, you need to use https (which uses SSL) and if the IOS supports it, is enabled with:
ip http secure-server
This gives you access to the web GUI.

I think I've discovered where your questions are coming from. Is the configuration listed for using Security Device Manager? This software uses both access methods to get content and read/write the configuration files and why there is two methods of encryption.

Author

Commented:
Yes it was from 'SDM'.  Ive never used any 'GUI' stuff before via Internet Browser but just realised after your explanation.

Oh so the fact that 'https' is added ie is all is needed as below:

ip http server
ip https secure-server
ip http authentication local

Router(config)# username <username> privilege 15 password 0 <password>

And that 'http' actually uses 'SSL' although the acronym itself is not added.!!!!???

But with 'SSH' for security and access to the CLI it is:

Configure SSH and Telnet for local login and privilege level 15:

Router(config)# line vty 0 4
Router(config-line)# privilege level 15
Router(config-line)# login local
Router(config-line)# transport input telnet
Router(config-line)# transport input telnet ssh
Router(config-line)# exit

Commented:
Actually, SSL is now part of Transport Layer Security (TLS), and the secure version of http, https, can use either SSL or TLS. Google can tell you more.
Just to confirm the configuration for SDM;
You configure remote access using unsecured telnet and/or secured SSH, http and/or https:

line vty 0 4
  transport input telnet ssh
exit
!
! Enable web services for http
ip http server
! To support secure http (https)
ip http secure-server


Access is controlled by a usename/password and because SDM reads and writes the configuration files, enable access (privilege 15) is required:
line vty 0 4
! Any successful login will have enable rights
  privilege level 15
! Access is by login using a local account
  login local
exit
!
! Web service access authenicates against a local account (this will use the privilege level set in the user account):
ip http authentication local
! Local user credentials:
username <username> privilege 15 password 0 <password>
!
end

Author

Commented:
Perfect thanks for that!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.