×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

4210 with Tacacs

Unanswered Question
Jul 23rd, 2002
User Badges:

Hi all,


We have added our cisco router a tacacs authentication for both login and enable. And created a user for cspm to be authenticated at tacacs. I can use the cspm username and password to be authenticated at tacacs. But when Cspm try to block an intruder it says the ip address is blocked but when we looked from the router side we couldn't see any changes on the access-list. We applied a debug for tacacs and saw that cspm is authenticated from tacacs. But cspm can not block a user when we use tacacs for authentication on the router. we added username and passowrd to cspm from the blocking device properties section.


Any help will be appreciated.


Best regards,



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Tue, 07/23/2002 - 09:24
User Badges:
  • Cisco Employee,

First realize that CSPM isn't connecting to the router, instead it is configuring the managed process on the sensor to connect to the router.


Steps for verification:


1) View the contents of the Blocking tab in CSPM for that sensor to ensure that you have entered the correct username, telnet password, and enable password.


2) Ensure that you have entered a correctly spelled interface name and direction for an interface on that router. (Also verify the Pre and Post Block ACL entries is entered)


3) Verify that the contents of the etc/managed.conf file on the sensor match the entries you made in CSPM. If not then you need to Update and Approve the sensor configuration from within CSPM.


4) Type nrvers and verify that managed is running and reporting a version.

If not then see if managed is listed in the etc/daemons file, if it is not listed then try Approving a new config from CSPM.

If listed but managed is not responding to nrvers then you either have a configuration problem or foudn a bug we didn't know about.


5) Check the contents of the var/errors.managed file and see if any errors are being reported.


6) Execute "show run" on the router. You should see an IDS_.. ACL for each interface/direction being managed by managed.


7) Execute a block through the CSPM Event Viewer, and then run "show run" again and see if the ACL was updated with a deny line for the designated ip address.


btimuralp Tue, 07/23/2002 - 10:13
User Badges:

First I was wrong when I said CSPM but you got the point anyway. The blocking works without the tacacs but when we enable tacacs authentication on the router, IDS can't write to router.

stleary Wed, 07/24/2002 - 11:35
User Badges:
  • Cisco Employee,

The sensor should be able to connect to the router and perform

blocks, even if the router uses TACACS+ authentication. The

problem is probably in the sensor config or the router config.

Check the error logs for nr.managed on your sensor (look for

a file named /usr/nr/var/errors.managed.* ). If the error log

contains any entries, they may help you find the cause of the

problem. If it is not simply a misspelled username or

password, you can open a TAC case.

bstillman Thu, 08/01/2002 - 08:08
User Badges:

Have you checked the 'Failed Attempts' under the 'Reports and Activity' button on the ACS server?? The user may be able to authenticate to the router but doesn't have the authorization to go into config mode to create and apply an ACL.

Actions

This Discussion