Cisco IOS authentication records contain authentication credentials and the target hosts that those credentials apply to. Using these credentials, the scanning engine is able to log into Cisco IOS devices that support the SSH protocol (SSH1 and SSH2) and telnet, and gain access to information that would otherwise not be available.
When the compliance module is enabled, users with compliance privileges can launch compliance scans to identify whether hosts are compliant with user-defined policies. Successful authentication is required for compliance scans. For compliance scans, the user account provided for authentication must have superuser (root) privileges. If root privileges are not provided or if authentication to hosts fails, then compliance analysis cannot be performed on the hosts.
The privilege to create authentication records is granted to all Managers automatically. Managers may grant Unit Managers the privilege to create authentication records for hosts in their business unit. This option is set when creating or editing a Unit Manager's account.
Important: For compliance scans, root level access is required.
1. Select Authentication Records from the left menu, under Tools.
2. Go to New > Cisco IOS Record.
3. In the Title field, enter a descriptive name for this record.
4. On the Login Credentials tab, specify the user name and password to be used for authentication. If the "enable" command on the target hosts requires a password, then you must also provide the enable password in the authentication record. See Login Credentials for details.
5. (Optional) In the Policy Compliance section, identify custom ports to scan for authentication and compliance assessment. By default, these well known ports are scanned: 22 (SSH), 23 (telnet) and 513 (rlogin). If services (SSH, telnet, rlogin) are not running on these well known ports for the hosts you will be scanning, then you must define a custom ports list. See Policy Compliance for details.
6. On the IPs tab, select all hosts that the scanning engine should log into with the specified credentials. Each IP address may be included in one Cisco IOS record or one Unix record. The same IP may not be included in both a Cisco IOS record and a Unix record.
7. In the Comments section, enter notes about the account, credentials or hosts.
8. Click Save.
After creating a Cisco IOS record, you must enable this feature in your scan options for vulnerability scans. Create or edit an option profile and select the Unix/Cisco IOS option under Authentication on the Scan tab. Then apply that profile to vulnerability scan tasks.
Note that Unix/Cisco IOS authentication is automatically enabled in compliance profiles for compliance scan tasks.