1) The user account you provide for authentication must have privilege level 15 (equivalent to root level privileges) on the Cisco device in order to perform all checks.
Interested in using an account with a lower privilege level? You'll need to take steps to configure the lower privilege level account to give it permission to execute all of the commands that are required for scanning. See instructions on how you can do this and the commands required for scanning based on the Cisco device:
Cisco IOS/IOS-XE | Cisco ASA | Cisco NX-OS | Cisco FTD | Cisco ISE
In general, the account you provide must be able to execute these commands:
help
show version
show running-config / show running-config all
show logging | include Syslog | Trap | Console | Monitor | Buffer logging
show clock detail
show ip ssh
show ip interface
show snmp user
show snmp group
show crypto key mypubkey rsa
terminal pager 0 (Cisco ASA) / terminal length 0 (other Cisco devices)
The following commands are used to check for specific configurations. Note - This list will grow as new QIDs are introduced.
show dlsw statistics
show ipv6 dhcp binding
show ip igmp interface
show ip ips interfaces
show ipv6 interface
show ipdr exporter
show ip interface brief
show ip cef detail
show snmp group
show udp
show sgbp
show rtr responder
show processes
show running-config
show vrf
show configuration
show ntp authentication-status
show run
show object-group
show vstack config
The following commands are used for QID 45012 "Cisco Tool Command Language (Tcl) Shell".
tclsh
tclquit
2) We need port 22 (for SSH authentication) or port 23 (for Telnet authentication). If Telnet is the only option for the target you must select the Clear Text Password option in the record since Telnet is an insecure protocol (all information is sent in clear text). We’ll use strong password encryption for remote login, if possible, and fall back to transmitting credentials in clear text only when the Clear Text Password option is selected.
3) Your password must not include any spaces.