Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Integrated CSM + ACS - DCR Device Wizard

Hi there,

I've integrated CSM v3.3.1 into ACS v4.1.4 within Common Services/AAA Setup and setup a Bulk Import of Devices from ACS into Common Services.  Have also setup default device credentials.


This seems to be working fine, in that I can login to CSM using credentials from ACS and the CSM Device and Credentials list shows all my network devices imported from ACS.

Again I've logged into the CSM Client using credentials from ACS but I don't seem to be able to "Add Devices From DCR", the only option I have is to import from an export file from DCR.   The problem here is that the export file contains all the default device credentials which I don't want users to know.

Have I missed something?

BAsed on the User Guide I'm expecting there to be an "Add Devices From DCR Wizard".

Thanks
Michael

1 REPLY
New Member

Re: Integrated CSM + ACS - DCR Device Wizard

OK,

I have got to the bottom of this now.

I was reading the CSM 3.1 User Guide which I'd downloaded in the past, assuming that Cisco wouldn't remove a feature in a later release, just add/improve/fix features.

Obviously not, having downloaded the CSM 3.3 User Guide it is obvious that the "Add Devices from DCR" option has been replaced with "Add Devices from File".

To double-check this I've done a clean install of CSM 3.1 and the different outputs from the client showing the change are attached.


The function does still exist in Performance Monitor however.....

Therefore the only options are to either:

  • Export the devices/credentials from DCR and import into CSM

Means that people with access to the server (e.g. IT Department) have potential access to the export files containing master device credentials of firewalls which obviously is no use in a secure environment 

  • Have the firewall/security administrators manually add each device to CSM supplying necessary credentials

This is OK to an extent, except that we are trying to maintain a secure environment with "role seperation" and traceable named accounts, hence the integration to ACS.

Rather than being able to set a complex "default credential" once which would then be destroyed/forgotton, this now means that the Firewall/Security administrator needs to know the master/generic admin account which is used by CSM to access the devices, which he/she could use instead of their named ACS account!

None of this is very "secure" for a supposed security product

Is there a way to re-instate the "Add Devices from DCR" option in client versions CSM 3.2+ ?

Is there a way to set "default credentials" in CSM like you can in Common Services, so that administrators don't need to know them (e.g. have them written down) so they can be set each time a device is added ?

Thanks

Mike

607
Views
0
Helpful
1
Replies