3-27
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Chapter 3 Setting Up the Sensor
Configuring Authentication and User Parameters
Status Events
As part of the packet command restriction option, status events are triggered for the following actions:
•
When an administrator enables or disables the packet command restriction.
•
When an authorized user executes any of the restricted commands.
•
When an unauthorized user executes any of the restricted commands.
To permit or restrict packet command restrictions, follow these steps:
Step 1
Log in to the sensor using an account with administrator privileges.
Step 2
Enter authentication submode.
sensor# configure terminal
sensor(config)# service authentication
sensor(config-aut)#
Step 3
Allow AAA RADIUS users with the correct av-pair (permit-packet-logging=true) and local users with
the correct privilege levels to execute all packet capture/display and IP log commands.
sensor(config-aut)# permit-packet-logging true
Note
Existing CLI sessions are not affected by the changes made in restriction settings.
Step 4
Check your new setting.
sensor(config-aut)# show settings
attemptLimit: 0 <defaulted>
password-strength
-----------------------------------------------
size: 8-64 <defaulted>
digits-min: 0 <defaulted>
uppercase-min: 0 <defaulted>
lowercase-min: 0 <defaulted>
other-min: 0 <defaulted>
number-old-passwords: 0 <defaulted>
-----------------------------------------------
permit-packet-logging: true default: true
cli-inactivity-timeout: 0 <defaulted>
sensor(config-aut)#
Step 5
Restrict all users from executing packet capture/display and IP log commands.
sensor(config-aut)# permit-packet-logging false
Step 6
Check your new setting.
sensor(config-aut)# show settings
attemptLimit: 0 <defaulted>
password-strength
-----------------------------------------------
size: 8-64 <defaulted>
digits-min: 0 <defaulted>
uppercase-min: 0 <defaulted>
lowercase-min: 0 <defaulted>
other-min: 0 <defaulted>
number-old-passwords: 0 <defaulted>
-----------------------------------------------
permit-packet-logging: false default: true
cli-inactivity-timeout: 0 <defaulted>
sensor(config-aut)#