Cisco Systems IPS 7.1 Home Security System User Manual


  Open as PDF
of 1042
 
4-22
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
Configuring Authentication and User Parameters
d. Configure a Cisco av pair. If you do not want to configure a default user role on the sensor that is
applied in the absence of a Cisco av pair, you need to configure the Cisco IOS/PIX 6.x RADIUS
Attributes [009\001] cisco-av-pair under the group or user profile with one of the following options:
ips-role=viewer
ips-role=operator
ips-role=administrator
ips-role=service
Note If the sensor is not configured to use a default user role and the sensor user role
information in not in the Accept Message of the CiscoSecure ACS server, the sensor
rejects RADIUS authentication even if the CiscoSecure ACS server accepts the
username and password.
Note The default user role is used only when the user has not been configured with a specific
role on the ACS server. Local users are always configured with a specific role so the
default user role will never apply to locally authenticated users.
Caution Do not add multiple Cisco av-pairs with the same key. You should have only one instance of
ips-role=value. Make sure the key and the value are correct or the feature may not work as expected. For
example, do not use the following configuration:
ips-role= administer
ips-role=ad
e. Configure the sensor to switch over to local authentication if the RADIUS server becomes
unresponsive.
sensor(config-aaa-rad)# local-fallback enabled
sensor(config-aaa-rad)#
Step 6 Configure the primary RADIUS server:
a. Enter primary server submode.
sensor(config-aaa-rad)# primary-server
sensor(config-aaa-rad-pri)#
b. Enter the RADIUS server IP address.
sensor(config-aaa-rad-pri)# server-address 10.1.2.3
sensor(config-aaa-rad-pri)#
c. Enter the RADIUS server port. If not specified, the default RADIUS port is used.
sensor(config-aaa-rad-pri)# server-port 1812
sensor(config-aaa-rad-pri)#
d. Enter the amount of time in seconds you want to wait for the RADIUS server to respond.
sensor(config-aaa-rad-pri)# time-out 5
sensor(config-aaa-rad-pri)#
 previous next