Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

4-20

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 4 Setting Up the Sensor

Configuring Authentication and User Parameters

Caution Do not add multiple Cisco av-pairs with the same key. You should have only one instance of

ips-role=value. Make sure the key and the value are correct or the feature may not work as expected. For

example, do not use the following configuration:

ips-role= administer

ips-role=ad

–

local-fallback {enabled | disabled}—Lets you default to local authentication if the RADIUS

servers are not responding. The default is enabled.

• primary-server—Lets you configure the main RADIUS server:

–

server-address—IP address of the RADIUS server.

–

server-port—Port of the RADIUS server. If not specified, the default RADIUS port is used.

–

timeout (seconds)—Specifies the number of seconds the sensor waits for a response from a

RADIUS server before it considers the server to be unresponsive.

–

shared-secret—The secret value configured on the RADIUS server. You must obtain the secret

value of the RADIUS server to enter with the shared-secret command.

Note You must have the same secret value configured on both the RADIUS server and the IPS

sensor so that the server can authenticate the requests of the client and the client can

authenticate the responses of the server.

• secondary-server {enabled | disabled}— (Optional) Lets you configure a secondary RADIUS

server:

–

server-address—IP address of the RADIUS server.

–

server-port—Port of the RADIUS server. If not specified, the default RADIUS port is used.

–

timeout (seconds)—Specifies the number of seconds the sensor waits for a response from a

RADIUS server before it considers the server to be unresponsive.

–

shared-secret—The secret value configured on the RADIUS server. You must obtain the secret

value of the RADIUS server to enter with the shared-secret command.

Note You must have the same secret value configured on both the RADIUS server and the IPS

sensor so that the server can authenticate the requests of the client and the client can

authenticate the responses of the server.

• console-authentication—Lets you choose how users connected through the console port are

authenticated:

–

local—Users connected through the console port are authenticated through local user accounts.

–

radius-and-local—Users connected through the console port are authenticated through

RADIUS first. If RADIUS fails, local authentication is attempted. This is the default.

–

radius—Users connected through the console port are authenticated by RADIUS. If you also

have local-fallback enabled, users can also be authenticated through the local user accounts.

previous next