To get to this page: Select Authentication Records from the left menu. Go to New > Cisco IOS Record (or click edit for the Cisco IOS record you want to change.)
Each Cisco IOS authentication record contains Cisco IOS authentication credentials and a list of hosts that those credentials apply to. You must supply a user account to be used by the scanning engine to log into target hosts, and optionally a password for the user account. If the "enable" command on the target hosts requires a password, then you must also provide the enable password in the authentication record.
When the compliance module is enabled, users with compliance privileges can launch compliance scans to determine whether hosts are compliant with user-defined policies. Successful authentication is required for compliance scans. For compliance scans, the user account provided for authentication must have superuser (root) privileges. If root privileges are not provided or if authentication to hosts fails, then compliance analysis cannot be performed on the hosts.
For compliance scans, root level access is required.
When a Unit Manager edits a record, the Unit Manager only sees the IPs in the record that they have permission to. Any changes made by the Unit Manager to the record settings will apply to all hosts defined in the record, regardless of whether all hosts belong to the user's business unit. The record may contain more IPs that are not visible to the Unit Manager.
Title. Enter a unique, descriptive title for this record. The record title will be referenced in scan results when authentication fails so you can go back and verify the authentication credentials. The title may contain a maximum of 255 characters.
Specify user login credentials to be used for authentication.
User Name. The user account to be used for authentication. This account must be able to execute certain commands. See Cisco IOS Authentication Setup for complete details.
Password/Confirm Password. The password corresponding to the user account. Note that as you type the password or when you edit this record, your password will be replaced with asterisks (***) for security reasons.
Enable Password/Confirm Enable Password. The password required for executing the "enable" command on the target hosts. Like with the user account password, the enable password will be replaced with asterisks (***) for security reasons. (Note: The pooled credentials feature is not supported if the “enable” command requires a password and the password is specified.)
Clear Text Password. Select this option to allow your user account password to be transmitted in clear text when connecting to services which do not support strong password encryption. See Clear Text Password.
Select all target hosts that the scanning engine should log into with the specified credentials. Each IP address may be included in one Cisco IOS record or in one Unix record. The same IP may not be in both a Cisco IOS record and a Unix record.
Available IPs. A list of IPs in your account that are not currently part of another Cisco IOS record or Unix record. From this list, select the IPs you want to include, and click Add. Click Add All to add all available IPs to this record.
Assigned IPs. This is a list of IP addresses and ranges added to this record. To remove an IP from the record, select it and click Remove. To remove all IPs from the record, click Remove All.
Expand. Select an IP range and click the Expand button to view a complete list of all IPs within the range. This allows you to select individual IPs from inside a range (instead of selecting the entire range).
Manually. Select to manually add or remove IP addresses. A pop-up will appear where you can type or paste in a list of IPs. Then click Add to add the IPs to the record or click Remove to remove the IPs from the record.
Asset Group. Select to copy IPs from an asset group to this record. A pop-up will appear prompting you to select the asset group you want to copy IPs from. Select the asset group and click Add.
(Applicable to policy compliance scans only.)
The scanning engine needs to find login services in order to successfully authenticate to Unix/Cisco IOS hosts and perform compliance assessment. By default, these well known ports are scanned: 22 (SSH), 23 (telnet) and 513 (rlogin). Any one of these services is sufficient for authentication. If services (SSH, telnet, rlogin) are not running on these well known ports for the hosts you will be scanning, then you must define a custom ports list.
Well Known Ports. The service scans services (SSH, telnet, rlogin) on well known ports (22, 23, 513 respectively).
Custom Ports. The service scans a custom list of ports. Select this option if services (SSH, telnet, rlogin) are not running on well known ports (22, 23, 513 respectively). Multiple ports must be comma separated. Note: The actual ports scanned also depends on the Ports setting in the compliance option profile.
If Standard Scan is selected in the compliance profile, then these ports will be scanned: the standard ports list (about 1900 ports) provided by the service, including ports 22, 23 and 513, plus the custom ports specified in the authentication record.
If Targeted Scan is selected in the compliance profile, then these ports will be scanned: the custom ports specified in the authentication record only (no other ports).
See the table below to better understand which ports are scanned based on your settings.
compliance profile |
authentication record |
ports scanned |
Standard Scan |
Well Known Ports |
~1900 Ports (includes Ports 22, 23, 513) |
Standard Scan |
Custom Ports |
~1900 Ports + Custom Ports in record |
Targeted Scan |
Well Known Ports |
Ports 22, 23 and 513 only |
Targeted Scan |
Custom Ports |
Custom Ports in record only |
Enter important notes about the authentication credentials or target hosts.
Save. Click to save the record and return to the authentication records list.
Cancel. Click to return to the authentication records list without saving your changes.