05-08-2007 09:40 AM - edited 03-10-2019 03:35 AM
I was wondering if the AIP-SSM module on a ASA 5510 or 5540 can authenticate users against a Tacacs+ server? If so can you configure it so you can use ssh to login on to the device with authentication through Tacacs+?
I have my ASA set up so I can ssh into it and then I can session 1 into the AIP-SSM module. But, can you ssh directly into the device?
Thanks,
Brian
05-08-2007 10:40 AM
The IPS software on the AIP-SSM does not support TACACS+ for authentication.
All usernames and passwords for IPS AIP-SSM module have to be stored locally on the module.
You can ssh directly to the management IP Address of the IPS AIP-SSM. You would just need to use a username that was created locally on the IPS AIP-SSM instead of a TACACS+ account.
05-10-2007 09:28 AM
Thanks for the response. I did manage to talk with a Cisco engineer on this and they confirmed what you are saying.
In addition they said that you can only ssh into the module from the local subnet that the AIP-SSM interface is configured on.
Interesting.
Brian
05-10-2007 11:24 AM
"you can only ssh into the module from the local subnet that the AIP-SSM interface is configured on. "
Thats not true. You can access AIP-SSM module from any network. All you need is access-list entries on the AIP-SSM module permitting the access and proper gateway IP configured.
Authentication of usernames using AAA is not available though.
Regards,
Vibhor.
05-11-2007 10:35 AM
Thanks, for that response. But, how would you configure that? I don't seem to be able to get it working. I am trying to connect from the 172.30.4.0 network. And, I can ssh to other devices in the 172.30.8.0 network. This is my testing AIP-SSM configuration:
! Version 5.1(1)
! Current configuration last modified Tue May 08 10:58:18 2007
! ------------------------------
service interface
exit
! ------------------------------
service analysis-engine
exit
! ------------------------------
service authentication
attemptLimit 3
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 172.30.15.66/28,172.30.15.65
host-name RecMgtSensor
telnet-option disabled
access-list 172.30.4.0/23
access-list 172.30.8.0/23
exit
time-zone-settings
offset -300
standard-time-zone-name GMT-05:00
exit
summertime-option recurring
offset 60
summertime-zone-name GMT-05:00
start-summertime
month march
week-of-month second
exit
end-summertime
month november
week-of-month first
exit
exit
exit
! ------------------------------
service logger
exit
! ------------------------------
service network-access
exit
! ------------------------------
service notification
exit
! ------------------------------
service signature-definition sig0
exit
! ------------------------------
service ssh-known-hosts
exit
! ------------------------------
service trusted-certificates
exit
! ------------------------------
service web-server
exit
Any help would be appreciated.
Thanks,
Brian
05-11-2007 12:35 PM
Sure ..
host-ip 172.30.15.66/28,172.30.15.65
As per the above line, 172.30.15.66 is the IP address on management port on SSM and 172.30.15.65 is the gateway for SSM module. If this 172.30.15.65 is a router or some other device, please make sure 172.30.4.0/23 network is reachable from 172.30.15.65. Also, make sure there is noting in between 172.30.15.66 and 172.30.4.0/23 network which may block the traffic.
Hope that helps.
Regards,
Vibhor.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: