blocking login profilles

Unanswered Question
May 2nd, 2007
User Badges:

I think this should be pretty straight forward, but am having am impossible time getting blocking to work. I have an IPS 4240 with software version 6 and have configured many login profiles to try to get my ASA to shun a host triggering a signature using the host block option. Setup is host -> switch -> IPS spanning uplink port -> router -> ASA -> Internet

I've tried manually adding the block on the host and while it appears in the active host blocks monitoring section, the host is still able to reach anywhere on the Internet. I also see an ARC event stating wrong username/password combination. Seems like a simple fix, but I'm fairly sure I'm putting the correct username and password in. I've retrieved the ssh key from the ASA while on the IPS and have tried using telnet also. I've enabled any host on my LAN to telnet to the PIX in effort to troubleshoot, but it's not working either. I'm using Cisco ACS with my ASA, and have tried domain\username and [email protected] and just plain username, but none work.


Thank you,


Bill

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Wed, 05/02/2007 - 14:52
User Badges:
  • Gold, 750 points or more

We've had Shunning between a 5.x sensor and ASA working. To trouble shoot, use Telnet between the sensor and the ASA. Then sniff the traffic using Ethereal/Wireshark. Follow the TCP session to watch the commands between the two, this should show you where things are going wrong.

WILLIAM STEGMAN Thu, 05/03/2007 - 05:09
User Badges:

i've not been able to use the telnet or ssh command from the cli on the sensor, and don't see that option from the gui either. I've tried twic sniffing traffic from the inside interface of my asa during a test attempt to trigger the block and found only acks, and some data containing the message banner, username and password. The username and password looked to both have unusual spaces between them, but I'm not sure if that's just how ethereal displays the contents or not. I'm definately able to telnet to my asa from my desktop using my domain creds and cisco acs. Event Viewer logs from the IPS continue to read


evError: eventId=1177685004019530953 vendor=Cisco severity=error

originator:

hostId: HBG-IPS

appName: nac

appInstanceId: 29279

time: May 3, 2007 12:52:02 PM UTC offset=-240 timeZone=UTC

errorMessage: ERROR: Wrong username/password for net device [10.4.99.2] name=errSystemError




update - i don't know why, but it is working now with local credentials even though my asa is setup to use cisco ACS.

Actions

This Discussion