01-28-2008 02:37 AM - edited 03-10-2019 03:57 AM
Hi
Is it possible to configure AAA with Cisco IPS and CSACS?
thanks
01-28-2008 06:44 AM
not directly no. The best you can do today is to use Cisco Security Mananager (CSM) to manage your sensors and configure AAA in CSM.
01-28-2008 10:17 AM
I just got bitten by this. CSM has the option (Tools-> Security Manager Administration -> Device Communication) to use "Security Manager Device Credentials" or "Security Manager User Login Credentials". The former will use whatever account info you configured when you added the device, and the latter will use whatever username is currently doing the config changes via CSM.
The latter option is preferable when you're in an ACS / AAA environment, because then TACACS+/RADIUS account logs will show the user that actually made the modifications.
I tried to switch to that option, but since the IPS devices don't support AAA, CSM choked and couldn't complete the update.
As far as I can tell the change affects all CSM-managed devices; you can't change it on a per-device basis. So to get this to work I'd have to have every user that manages IPS devices log in to each IPS sensor (two dozen+) and create a local username/pass that matches their current login creds.
CSM doesn't support configuring AAA on IPS sensors, since the sensors themselves don't support it. Everything is local. Other posts here seem to claim "well, your IPS sensors are -supposed- to be secure" but I don't buy it. Having multiple, independent local accounts spread out over dozens of sensors seems LESS secure.
01-28-2008 12:15 PM
That jives with my understanding. The sensors don't support AAA and the addition of CSM doesn't change that.
The best you can probably do is:
1) configure AAA in CSM
2) configure CSM to use a "process account" for logging into the sensors (i.e. "security manager device creds")
3) configure the sensors to ONLY allow connections from specifiic IP addresses (like CSM and MARS).
The last step is big...if you can do it. You might want to add a trusted server that only the IDS team has access to in the event that CSM dies for some reason and you need to reach a sensor.
06-03-2008 06:08 AM
So do you create a 'dummy' entry for the IPS in ACS?
06-03-2008 08:10 AM
You configure CSM to use AAA/ACS for access by users. You add sensors into CSM using the normal process (this won't have anything to do with AAA or Cisco ACS).
06-03-2008 08:36 AM
I'm getting a 'Device Not Authorized' 'The device is not in the Cisco Secure ACS error, but this could be because the device is running 6.1, and I just read CSM 3.2 doesn't support 6.1 yet..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: