AIP-SSM AAA Authentication?

bkhickman · ‎05-08-2007

I was wondering if the AIP-SSM module on a ASA 5510 or 5540 can authenticate users against a Tacacs+ server? If so can you configure it so you can use ssh to login on to the device with authentication through Tacacs+?

I have my ASA set up so I can ssh into it and then I can session 1 into the AIP-SSM module. But, can you ssh directly into the device?

Thanks,

Brian

marcabal · ‎05-08-2007

The IPS software on the AIP-SSM does not support TACACS+ for authentication.

All usernames and passwords for IPS AIP-SSM module have to be stored locally on the module.

You can ssh directly to the management IP Address of the IPS AIP-SSM. You would just need to use a username that was created locally on the IPS AIP-SSM instead of a TACACS+ account.

bkhickman · ‎05-10-2007

Thanks for the response. I did manage to talk with a Cisco engineer on this and they confirmed what you are saying.

In addition they said that you can only ssh into the module from the local subnet that the AIP-SSM interface is configured on.

Interesting.

Brian

vitripat · ‎05-10-2007

"you can only ssh into the module from the local subnet that the AIP-SSM interface is configured on. "

Thats not true. You can access AIP-SSM module from any network. All you need is access-list entries on the AIP-SSM module permitting the access and proper gateway IP configured.

Authentication of usernames using AAA is not available though.

Regards,

Vibhor.

bkhickman · ‎05-11-2007

Thanks, for that response. But, how would you configure that? I don't seem to be able to get it working. I am trying to connect from the 172.30.4.0 network. And, I can ssh to other devices in the 172.30.8.0 network. This is my testing AIP-SSM configuration:

! Version 5.1(1)

! Current configuration last modified Tue May 08 10:58:18 2007

! ------------------------------

service interface

exit

! ------------------------------

service analysis-engine

exit

! ------------------------------

service authentication

attemptLimit 3

exit

! ------------------------------

service event-action-rules rules0

exit

! ------------------------------

service host

network-settings

host-ip 172.30.15.66/28,172.30.15.65

host-name RecMgtSensor

telnet-option disabled

access-list 172.30.4.0/23

access-list 172.30.8.0/23

exit

time-zone-settings

offset -300

standard-time-zone-name GMT-05:00

exit

summertime-option recurring

offset 60

summertime-zone-name GMT-05:00

start-summertime

month march

week-of-month second

exit

end-summertime

month november

week-of-month first

exit

! ------------------------------

service logger

exit

! ------------------------------

service network-access

exit

! ------------------------------

service notification

exit

! ------------------------------

service signature-definition sig0

exit

! ------------------------------

service ssh-known-hosts

exit

! ------------------------------

service trusted-certificates

exit

! ------------------------------

service web-server

exit

Any help would be appreciated.

Thanks,

Brian

vitripat · ‎05-11-2007

Sure ..

host-ip 172.30.15.66/28,172.30.15.65

As per the above line, 172.30.15.66 is the IP address on management port on SSM and 172.30.15.65 is the gateway for SSM module. If this 172.30.15.65 is a router or some other device, please make sure 172.30.4.0/23 network is reachable from 172.30.15.65. Also, make sure there is noting in between 172.30.15.66 and 172.30.4.0/23 network which may block the traffic.

Hope that helps.

Regards,

Vibhor.