07-23-2002 08:31 AM - edited 02-21-2020 11:57 AM
Hi all,
We have added our cisco router a tacacs authentication for both login and enable. And created a user for cspm to be authenticated at tacacs. I can use the cspm username and password to be authenticated at tacacs. But when Cspm try to block an intruder it says the ip address is blocked but when we looked from the router side we couldn't see any changes on the access-list. We applied a debug for tacacs and saw that cspm is authenticated from tacacs. But cspm can not block a user when we use tacacs for authentication on the router. we added username and passowrd to cspm from the blocking device properties section.
Any help will be appreciated.
Best regards,
07-23-2002 09:24 AM
First realize that CSPM isn't connecting to the router, instead it is configuring the managed process on the sensor to connect to the router.
Steps for verification:
1) View the contents of the Blocking tab in CSPM for that sensor to ensure that you have entered the correct username, telnet password, and enable password.
2) Ensure that you have entered a correctly spelled interface name and direction for an interface on that router. (Also verify the Pre and Post Block ACL entries is entered)
3) Verify that the contents of the etc/managed.conf file on the sensor match the entries you made in CSPM. If not then you need to Update and Approve the sensor configuration from within CSPM.
4) Type nrvers and verify that managed is running and reporting a version.
If not then see if managed is listed in the etc/daemons file, if it is not listed then try Approving a new config from CSPM.
If listed but managed is not responding to nrvers then you either have a configuration problem or foudn a bug we didn't know about.
5) Check the contents of the var/errors.managed file and see if any errors are being reported.
6) Execute "show run" on the router. You should see an IDS_.. ACL for each interface/direction being managed by managed.
7) Execute a block through the CSPM Event Viewer, and then run "show run" again and see if the ACL was updated with a deny line for the designated ip address.
07-23-2002 10:13 AM
First I was wrong when I said CSPM but you got the point anyway. The blocking works without the tacacs but when we enable tacacs authentication on the router, IDS can't write to router.
07-24-2002 11:35 AM
The sensor should be able to connect to the router and perform
blocks, even if the router uses TACACS+ authentication. The
problem is probably in the sensor config or the router config.
Check the error logs for nr.managed on your sensor (look for
a file named /usr/nr/var/errors.managed.* ). If the error log
contains any entries, they may help you find the cause of the
problem. If it is not simply a misspelled username or
password, you can open a TAC case.
08-01-2002 08:08 AM
Have you checked the 'Failed Attempts' under the 'Reports and Activity' button on the ACS server?? The user may be able to authenticate to the router but doesn't have the authorization to go into config mode to create and apply an ACL.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: