Set Up Cisco Authentication

Create Cisco records to allow the service to authenticate to Cisco devices that support the SSH protocol (SSH1 and SSH2) and telnet.

Which technologies are supported?

For the most current list of supported authentication technologies and the versions that have been certified for VM and PC by record type, please refer to the following article: 

Authentication Technologies Matrix

 

1) The user account you provide for authentication must have privilege level 15 (equivalent to root level privileges) on the Cisco device in order to perform all checks. Learn more about commands and privilege levels

2) We need port 22 (for SSH authentication) or port 23 (for Telnet authentication). If Telnet is the only option for the target you must select the Clear Text Password option in the record since Telnet is an insecure protocol (all information is sent in clear text). We’ll use strong password encryption for remote login, if possible, and fall back to transmitting credentials in clear text only when the Clear Text Password option is selected.

3) Your password must not include any spaces.

Note - The "enable" feature is supported for compliance scans only, not vulnerability scans.

Whether or not the "enable" password is required depends on the target hosts you'll be scanning.

Hosts with Cisco IOS, Cisco IOS XE and Cisco ASA - The "enable" password is required. (The "enable" command on these hosts requires a password.)

Hosts with Cisco NX-OS - The "enable" password is not required.

(Note - The pooled credentials feature is not supported if the "enable" command requires a password and the password is specified.)

Select to allow your user account password to be transmitted in clear text when connecting to services which do not support strong password encryption. Learn more

The scanning engine needs to find login services in order to successfully authenticate to Unix/Cisco IOS hosts and perform compliance assessment. By default, these well-known ports are scanned: 22 (SSH), 23 (telnet) and 513 (rlogin). Any one of these services is sufficient for authentication. If services (SSH, telnet, rlogin) are not running on well-known ports for the hosts you will be scanning, then you must define a custom ports list.

Note: The actual ports scanned also depends on the Ports setting in the compliance option profile used at scan time.

Tell me more about scanned portsTell me more about scanned ports

If Standard Scan is selected in the compliance profile, then these ports will be scanned: the standard ports list (about 1900 ports) provided by the service, including ports 22, 23 and 513, plus the custom ports specified in the authentication record.

If Targeted Scan is selected in the compliance profile, then these ports will be scanned: the custom ports specified in the authentication record only (no other ports).

Refer to the table below:

Compliance Profile

Authentication Record

Ports Scanned

Standard Scan

Well Known Ports

~1900 Ports (includes Ports 22, 23, 513)

Standard Scan

Custom Ports

~1900 Ports + Custom Ports in record

Targeted Scan

Well Known Ports

Ports 22, 23 and 513 only

Targeted Scan

Custom Ports

Custom Ports in record only

Select the target hosts (IPs) to authenticate to. The IPs you include in this record cannot also be included in a Unix or Checkpoint Firewall record.

For Cisco authentication, we support integration with multiple third party password vaults. Just go to Scans > Authentication > Vaults and tell us about your vault system. Then choose Authentication Vault in your record, select your vault name and provide vault settings. At scan time, we'll authenticate to hosts using the account name in your record and the password we find in your vault.

Vault Configuration for Compliance Scans

You must configure the user account in such a way that the "enable" command enters the privileged shell automatically without prompting for a 2nd password. This is because the supported vaults only store a single password in a file.

Password based authentication to a TACACS server is supported. This server follows the SSH user authentication specification.

When a Unit Manager edits a record, the Unit Manager only sees the IPs in the record that they have permission to. Any changes made by the Unit Manager to the record settings will apply to all hosts defined in the record, regardless of whether all hosts belong to the user's business unit. The record may contain more IPs that are not visible to the Unit Manager.

 

Quick Links

Why use host authentication

Vault Support Matrix

Cisco CUCM

Cisco ASA

Cisco IOS/IOS XE

Cisco NX-OS

Cisco FTD

Cisco ISE

Arista EOS

Cisco SD-WAN (Viptela)

Tip The password you provide for authentication must not include any spaces.