mhellman Mon, 01/28/2008 - 06:44
User Badges:
  • Blue, 1500 points or more

not directly no. The best you can do today is to use Cisco Security Mananager (CSM) to manage your sensors and configure AAA in CSM.

clausonna Mon, 01/28/2008 - 10:17
User Badges:
  • Bronze, 100 points or more

I just got bitten by this. CSM has the option (Tools-> Security Manager Administration -> Device Communication) to use "Security Manager Device Credentials" or "Security Manager User Login Credentials". The former will use whatever account info you configured when you added the device, and the latter will use whatever username is currently doing the config changes via CSM.


The latter option is preferable when you're in an ACS / AAA environment, because then TACACS+/RADIUS account logs will show the user that actually made the modifications.


I tried to switch to that option, but since the IPS devices don't support AAA, CSM choked and couldn't complete the update.


As far as I can tell the change affects all CSM-managed devices; you can't change it on a per-device basis. So to get this to work I'd have to have every user that manages IPS devices log in to each IPS sensor (two dozen+) and create a local username/pass that matches their current login creds.


CSM doesn't support configuring AAA on IPS sensors, since the sensors themselves don't support it. Everything is local. Other posts here seem to claim "well, your IPS sensors are -supposed- to be secure" but I don't buy it. Having multiple, independent local accounts spread out over dozens of sensors seems LESS secure.

mhellman Mon, 01/28/2008 - 12:15
User Badges:
  • Blue, 1500 points or more

That jives with my understanding. The sensors don't support AAA and the addition of CSM doesn't change that.


The best you can probably do is:


1) configure AAA in CSM

2) configure CSM to use a "process account" for logging into the sensors (i.e. "security manager device creds")

3) configure the sensors to ONLY allow connections from specifiic IP addresses (like CSM and MARS).


The last step is big...if you can do it. You might want to add a trusted server that only the IDS team has access to in the event that CSM dies for some reason and you need to reach a sensor.

mhellman Tue, 06/03/2008 - 08:10
User Badges:
  • Blue, 1500 points or more

You configure CSM to use AAA/ACS for access by users. You add sensors into CSM using the normal process (this won't have anything to do with AAA or Cisco ACS).

jpazahanick Tue, 06/03/2008 - 08:36
User Badges:

I'm getting a 'Device Not Authorized' 'The device is not in the Cisco Secure ACS error, but this could be because the device is running 6.1, and I just read CSM 3.2 doesn't support 6.1 yet..

Actions

This Discussion