cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
757
Views
10
Helpful
6
Replies

Is AAA possible for IPS?

dehghan
Level 1
Level 1

Hi

Is it possible to configure AAA with Cisco IPS and CSACS?

thanks

6 Replies 6

mhellman
Level 7
Level 7

not directly no. The best you can do today is to use Cisco Security Mananager (CSM) to manage your sensors and configure AAA in CSM.

I just got bitten by this. CSM has the option (Tools-> Security Manager Administration -> Device Communication) to use "Security Manager Device Credentials" or "Security Manager User Login Credentials". The former will use whatever account info you configured when you added the device, and the latter will use whatever username is currently doing the config changes via CSM.

The latter option is preferable when you're in an ACS / AAA environment, because then TACACS+/RADIUS account logs will show the user that actually made the modifications.

I tried to switch to that option, but since the IPS devices don't support AAA, CSM choked and couldn't complete the update.

As far as I can tell the change affects all CSM-managed devices; you can't change it on a per-device basis. So to get this to work I'd have to have every user that manages IPS devices log in to each IPS sensor (two dozen+) and create a local username/pass that matches their current login creds.

CSM doesn't support configuring AAA on IPS sensors, since the sensors themselves don't support it. Everything is local. Other posts here seem to claim "well, your IPS sensors are -supposed- to be secure" but I don't buy it. Having multiple, independent local accounts spread out over dozens of sensors seems LESS secure.

That jives with my understanding. The sensors don't support AAA and the addition of CSM doesn't change that.

The best you can probably do is:

1) configure AAA in CSM

2) configure CSM to use a "process account" for logging into the sensors (i.e. "security manager device creds")

3) configure the sensors to ONLY allow connections from specifiic IP addresses (like CSM and MARS).

The last step is big...if you can do it. You might want to add a trusted server that only the IDS team has access to in the event that CSM dies for some reason and you need to reach a sensor.

So do you create a 'dummy' entry for the IPS in ACS?

You configure CSM to use AAA/ACS for access by users. You add sensors into CSM using the normal process (this won't have anything to do with AAA or Cisco ACS).

I'm getting a 'Device Not Authorized' 'The device is not in the Cisco Secure ACS error, but this could be because the device is running 6.1, and I just read CSM 3.2 doesn't support 6.1 yet..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: