Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
435
Views
0
Helpful
4
Replies

4210 with Tacacs

btimuralp
Level 1
Level 1

‎07-23-2002 08:31 AM - edited ‎02-21-2020 11:57 AM

Hi all,

We have added our cisco router a tacacs authentication for both login and enable. And created a user for cspm to be authenticated at tacacs. I can use the cspm username and password to be authenticated at tacacs. But when Cspm try to block an intruder it says the ip address is blocked but when we looked from the router side we couldn't see any changes on the access-list. We applied a debug for tacacs and saw that cspm is authenticated from tacacs. But cspm can not block a user when we use tacacs for authentication on the router. we added username and passowrd to cspm from the blocking device properties section.

Any help will be appreciated.

Best regards,

Labels:
0 Helpful
4 Replies 4

marcabal
Cisco Employee
Cisco Employee

‎07-23-2002 09:24 AM

First realize that CSPM isn't connecting to the router, instead it is configuring the managed process on the sensor to connect to the router.

Steps for verification:

1) View the contents of the Blocking tab in CSPM for that sensor to ensure that you have entered the correct username, telnet password, and enable password.

2) Ensure that you have entered a correctly spelled interface name and direction for an interface on that router. (Also verify the Pre and Post Block ACL entries is entered)

3) Verify that the contents of the etc/managed.conf file on the sensor match the entries you made in CSPM. If not then you need to Update and Approve the sensor configuration from within CSPM.

4) Type nrvers and verify that managed is running and reporting a version.

If not then see if managed is listed in the etc/daemons file, if it is not listed then try Approving a new config from CSPM.

If listed but managed is not responding to nrvers then you either have a configuration problem or foudn a bug we didn't know about.

5) Check the contents of the var/errors.managed file and see if any errors are being reported.

6) Execute "show run" on the router. You should see an IDS_.. ACL for each interface/direction being managed by managed.

7) Execute a block through the CSPM Event Viewer, and then run "show run" again and see if the ACL was updated with a deny line for the designated ip address.

0 Helpful

btimuralp
Level 1
Level 1
In response to marcabal

‎07-23-2002 10:13 AM

First I was wrong when I said CSPM but you got the point anyway. The blocking works without the tacacs but when we enable tacacs authentication on the router, IDS can't write to router.

0 Helpful

stleary
Cisco Employee
Cisco Employee

‎07-24-2002 11:35 AM

The sensor should be able to connect to the router and perform

blocks, even if the router uses TACACS+ authentication. The

problem is probably in the sensor config or the router config.

Check the error logs for nr.managed on your sensor (look for

a file named /usr/nr/var/errors.managed.* ). If the error log

contains any entries, they may help you find the cause of the

problem. If it is not simply a misspelled username or

password, you can open a TAC case.

0 Helpful

bstillman
Level 1
Level 1
In response to stleary

‎08-01-2002 08:08 AM

Have you checked the 'Failed Attempts' under the 'Reports and Activity' button on the ACS server?? The user may be able to authenticate to the router but doesn't have the authorization to go into config mode to create and apply an ACL.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents