Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
807
Views
0
Helpful
1
Replies

Integrated CSM + ACS - DCR Device Wizard

Mike Bailey
Level 1
Level 1

‎12-14-2009 10:57 AM - edited ‎02-21-2020 03:49 AM

Hi there,

I've integrated CSM v3.3.1 into ACS v4.1.4 within Common Services/AAA Setup and setup a Bulk Import of Devices from ACS into Common Services.  Have also setup default device credentials.


This seems to be working fine, in that I can login to CSM using credentials from ACS and the CSM Device and Credentials list shows all my network devices imported from ACS.

Again I've logged into the CSM Client using credentials from ACS but I don't seem to be able to "Add Devices From DCR", the only option I have is to import from an export file from DCR.   The problem here is that the export file contains all the default device credentials which I don't want users to know.

Have I missed something?

BAsed on the User Guide I'm expecting there to be an "Add Devices From DCR Wizard".

Thanks
Michael

0 Helpful
1 Reply 1

Mike Bailey
Level 1
Level 1

‎01-05-2010 08:58 AM

OK,

I have got to the bottom of this now.

I was reading the CSM 3.1 User Guide which I'd downloaded in the past, assuming that Cisco wouldn't remove a feature in a later release, just add/improve/fix features.

Obviously not, having downloaded the CSM 3.3 User Guide it is obvious that the "Add Devices from DCR" option has been replaced with "Add Devices from File".

To double-check this I've done a clean install of CSM 3.1 and the different outputs from the client showing the change are attached.


The function does still exist in Performance Monitor however.....

Therefore the only options are to either:

  • Export the devices/credentials from DCR and import into CSM

Means that people with access to the server (e.g. IT Department) have potential access to the export files containing master device credentials of firewalls which obviously is no use in a secure environment 

  • Have the firewall/security administrators manually add each device to CSM supplying necessary credentials

This is OK to an extent, except that we are trying to maintain a secure environment with "role seperation" and traceable named accounts, hence the integration to ACS.

Rather than being able to set a complex "default credential" once which would then be destroyed/forgotton, this now means that the Firewall/Security administrator needs to know the master/generic admin account which is used by CSM to access the devices, which he/she could use instead of their named ACS account!

None of this is very "secure" for a supposed security product

Is there a way to re-instate the "Add Devices from DCR" option in client versions CSM 3.2+ ?

Is there a way to set "default credentials" in CSM like you can in Common Services, so that administrators don't need to know them (e.g. have them written down) so they can be set each time a device is added ?

Thanks

Mike

Preview file
104 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card