Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Is AAA possible for IPS?

Hi

Is it possible to configure AAA with Cisco IPS and CSACS?

thanks

6 REPLIES
Gold

Re: Is AAA possible for IPS?

not directly no. The best you can do today is to use Cisco Security Mananager (CSM) to manage your sensors and configure AAA in CSM.

Bronze

Re: Is AAA possible for IPS?

I just got bitten by this. CSM has the option (Tools-> Security Manager Administration -> Device Communication) to use "Security Manager Device Credentials" or "Security Manager User Login Credentials". The former will use whatever account info you configured when you added the device, and the latter will use whatever username is currently doing the config changes via CSM.

The latter option is preferable when you're in an ACS / AAA environment, because then TACACS+/RADIUS account logs will show the user that actually made the modifications.

I tried to switch to that option, but since the IPS devices don't support AAA, CSM choked and couldn't complete the update.

As far as I can tell the change affects all CSM-managed devices; you can't change it on a per-device basis. So to get this to work I'd have to have every user that manages IPS devices log in to each IPS sensor (two dozen+) and create a local username/pass that matches their current login creds.

CSM doesn't support configuring AAA on IPS sensors, since the sensors themselves don't support it. Everything is local. Other posts here seem to claim "well, your IPS sensors are -supposed- to be secure" but I don't buy it. Having multiple, independent local accounts spread out over dozens of sensors seems LESS secure.

Gold

Re: Is AAA possible for IPS?

That jives with my understanding. The sensors don't support AAA and the addition of CSM doesn't change that.

The best you can probably do is:

1) configure AAA in CSM

2) configure CSM to use a "process account" for logging into the sensors (i.e. "security manager device creds")

3) configure the sensors to ONLY allow connections from specifiic IP addresses (like CSM and MARS).

The last step is big...if you can do it. You might want to add a trusted server that only the IDS team has access to in the event that CSM dies for some reason and you need to reach a sensor.

New Member

Re: Is AAA possible for IPS?

So do you create a 'dummy' entry for the IPS in ACS?

Gold

Re: Is AAA possible for IPS?

You configure CSM to use AAA/ACS for access by users. You add sensors into CSM using the normal process (this won't have anything to do with AAA or Cisco ACS).

New Member

Re: Is AAA possible for IPS?

I'm getting a 'Device Not Authorized' 'The device is not in the Cisco Secure ACS error, but this could be because the device is running 6.1, and I just read CSM 3.2 doesn't support 6.1 yet..

464
Views
10
Helpful
6
Replies