I've integrated CSM v3.3.1 into ACS v4.1.4 within Common Services/AAA Setup and setup a Bulk Import of Devices from ACS into Common Services. Have also setup default device credentials.
This seems to be working fine, in that I can login to CSM using credentials from ACS and the CSM Device and Credentials list shows all my network devices imported from ACS.
Again I've logged into the CSM Client using credentials from ACS but I don't seem to be able to "Add Devices From DCR", the only option I have is to import from an export file from DCR. The problem here is that the export file contains all the default device credentials which I don't want users to know.
Have I missed something?
BAsed on the User Guide I'm expecting there to be an "Add Devices From DCR Wizard".
I was reading the CSM 3.1 User Guide which I'd downloaded in the past, assuming that Cisco wouldn't remove a feature in a later release, just add/improve/fix features.
Obviously not, having downloaded the CSM 3.3 User Guide it is obvious that the "Add Devices from DCR" option has been replaced with "Add Devices from File".
To double-check this I've done a clean install of CSM 3.1 and the different outputs from the client showing the change are attached.
The function does still exist in Performance Monitor however.....
Therefore the only options are to either:
Export the devices/credentials from DCR and import into CSM
Means that people with access to the server (e.g. IT Department) have potential access to the export files containing master device credentials of firewalls which obviously is no use in a secure environment
Have the firewall/security administrators manually add each device to CSM supplying necessary credentials
This is OK to an extent, except that we are trying to maintain a secure environment with "role seperation" and traceable named accounts, hence the integration to ACS.
Rather than being able to set a complex "default credential" once which would then be destroyed/forgotton, this now means that the Firewall/Security administrator needs to know the master/generic admin account which is used by CSM to access the devices, which he/she could use instead of their named ACS account!
None of this is very "secure" for a supposed security product
Is there a way to re-instate the "Add Devices from DCR" option in client versions CSM 3.2+ ?
Is there a way to set "default credentials" in CSM like you can in Common Services, so that administrators don't need to know them (e.g. have them written down) so they can be set each time a device is added ?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...