Web admin settings
A web admin setting is a controller management configuration that
-
determines how administrators access the controller’s web interface
-
specifies the protocols and interfaces available for remote management, and
-
enables customization of user access, source interfaces, and file transfer protocols.
These tasks include setting up the controller for communication with other devices in the network and configuring the management interface to connect over IP.
Use the page to configure system-wide settings.
Configure HTTP/HTTPS access (GUI)
HTTP or HTTPS access allows users to access the controller's WebUI using its IP address. You can allow users to connect securely over HTTPS or over HTTP, which is not a secure connection.
Use the page to configure secure access to the controller.
Before you begin
-
Ensure you have administrator privileges to configure the controller.
-
Obtain the CA-signed server certificate and trustpoint configuration if you are enabling PIV authentication.
-
Collect the client certificate signed by your CA for browsers using PIV.
Procedure
|
Step 1 |
Enable HTTP Access then enter the port number for HTTP requests. The default port is 80, but you can also use port 80 or any value from 1025 to 65535. |
||
|
Step 2 |
Enable HTTPS Access on the device and enter the designated port to listen for HTTPS requests. The default port is 1025. You may use port 443 or any port between 1025 and 65535. Enabling HTTPS access allows users to access the controller's GUI using "https://ip-address". On a secure HTTPS connection, data to and from an HTTPS server is encrypted before being sent over the Internet. SSL encryption provides a secure connection for tasks such as configuring a switch from a web browser. |
||
|
Step 3 |
Enable Personal Identity Verification (PIV) for two-factor authentication. This method lets users access the WebUI with PIV-compatible smart cards, enabling login without a password. To use this authentication method, configure the trustpoint and CA server certificate on the device. Also, ensure that the browser has the client certificate signed by the CA server. If you do not provide the client certificate, access to the UI is denied. |
||
|
Step 4 |
Set the Personal Identity Verification Authorization only option to Enabled. This authorizes a user's permissions and restrictions based on a remote TACACS+ or RADIUS security server. |
||
|
Step 5 |
Click Apply to save the configuration.
|
Configure HTTP trust point (GUI)
Certificate authorities (CAs) manage certificate requests and issue certificates to participating network devices. These services provide centralized security key and certificate management for the participating devices. Specific CA servers are referred to as trustpoints. When a connection attempt is made, the HTTPS server provides a secure connection by issuing a certified X.509v3 certificate, obtained from a specified CA trustpoint, to the client. The client (usually a Web browser), in turn, has a public key that allows it to authenticate the certificate. For secure HTTP connections, we highly recommend that you configure a CA trustpoint. If a CA trustpoint is not configured for the device running the HTTPS server, the server certifies itself and generates the needed RSA key pair. Because a self-certified (self-signed) certificate does not provide adequate security, the connecting client generates a notification that the certificate is self-certified, and the user has the opportunity to accept or reject the connection. This option is useful for internal network topologies (such as testing).
If you do not configure a CA trustpoint and then enable a secure HTTP connection, the device automatically generates either a temporary or a persistent self-signed certificate for the secure HTTP server or client. If the device is not configured with a hostname and domain name, it generates a temporary self-signed certificate. If the switch reboots, it deletes any temporary self-signed certificate and assigns a new one. If the device has been configured with a hostname and domain name, it generates a persistent self-signed certificate. This certificate remains active if you reboot the device or disable the secure HTTP server. The certificate will be available when you re-enable a secure HTTP connection.
Use the Trust Point Configuration section of the page to make these changes.
Before you begin
You must have configured a trustpoint for web administration purposes.
Procedure
|
Step 1 |
Tap to enable the trust point. |
|
Step 2 |
Select the appropriate trust point from the drop-down list to use for web administration purposes. If you have not configured a trust point earlier, you can navigate to the appropriate page and first configure it. |
|
Step 3 |
Click Apply to save the configuration. |
Configure NETCONF YANG (GUI)
NETCONF provides a mechanism to install, manipulate, or delete the configuration of network devices.
If the NETCONF connection is configured to use AAA for authentication purposes, it uses only the default method list and cannot be pointed to use any other named method list.
Use the Netconf Yang Configuration section of the page to make these changes.
Procedure
|
Step 1 |
Enable NETCONF. |
|
Step 2 |
Enter the SSH port number that will be used to facilitate communication between a client and a server. The default port is 830. |
|
Step 3 |
Click Apply to save the configuration. |
Configure timeout policy (GUI)
The Timeout Policy Configuration allows you to set the idle interval for management sessions. Once the timeout is reached, you must log in again to reestablish the connection.
Use the Timeout Policy Configuration section of the page to make these changes.
Procedure
|
Step 1 |
Enter the maximum number of seconds a connection to the HTTP server remains open before timing out in the HTTP Timeout-policy field. Once the time value is reached, you must log in again to reestablish the connection. |
|
Step 2 |
In the Session Idle Timeout field, enter the maximum number of seconds the connection remains open if no data is received or if response data cannot be sent. Note that this value may not affect already existing connections. If the server is too busy, or if the limit on the life time or number of requests is reached, the connection may close sooner. The default value is 180 seconds (three minutes). |
|
Step 3 |
In the Server Life Time field, enter the maximum number of seconds the connection remains open from when the connection is established. Note that the new value might not affect existing connections. If the server is too busy or if the limit on idle time or number of requests is reached, the server may close the connection sooner. The server does not close the connection while actively processing a request. Therefore, the connection might remain open longer than the specified lifetime if processing continues when the limit is reached. In this situation, the connection will close after processing finishes. The default value is 180 seconds (three minutes). The maximum value is 86400 seconds (24 hours). |
|
Step 4 |
Enter a value for the maximum limit on the number of requests processed on a persistent connection before it is closed in the Max Number of Requests field. Note that the new value might not affect existing connections. If the server is too busy, or if the limit on idle time or life time is reached, the connection may close before the maximum number of requests are processed. The default value is one. The maximum value is 86400. |
|
Step 5 |
Click Apply to save the configuration. |
Configure VTY (GUI)
VTY is a virtual port that supports Telnet or SSH access for inbound device connections. You can configure the number of simultaneous connections to your device and add security to validate these connections.
Use the VTY section of the page to make these changes.
Procedure
|
Step 1 |
Set the number of VTY lines to specify how many users can access the device remotely at the same time. Virtual Terminal Lines, also called Virtual TeleType (VTY), provide remote access to the controller’s CLI without the need to physically connect a laptop to the controller console. The number of VTY lines determines the maximum number of simultaneous connections allowed. Setting the number to a value between zero and 50 allows up to fifty simultaneous Telnet or SSH sessions to the controller. The default is set at 15. We recommend increasing the number of VTY lines to 50 to prevent connectivity disruptions when multiple users access the device. |
|
Step 2 |
Select the protocol for the remote connection from the VTY Transport Mode drop-down list. You can split the connections based on protocol. For example, lines zero to five might allow SSH connections, and lines 10 to 20 might allow Telnet connections. |
|
Step 3 |
(Optional) You can add security in the WebUI to validate login requests. To configure AAA authentication and authorization for inbound sessions to VTY lines on your system, first configure a RADIUS or TACACS+ authentication server. Then, select the authentication and authorization list from the appropriate drop-down menus. |
|
Step 4 |
Click Apply to save the configuration. |
Feedback