4-25
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
Configuring Authentication and User Parameters
The following options apply:
• permit-packet-logging true—Allows users to execute packet-related commands based on privilege
level.
• permit-packet-logging false—Restricts all users from executing any packet-related commands.
AAA RADIUS Users
AAA RADIUS users with the correct av-pair are authorized to execute packet capture/display and IP
logging commands. RADIUS users with no av-pair value are restricted. The correct av-pair,
permit-packet-logging=true, allows users to execute packet-related commands based on privilege
level. This av-pair is in addition to the authentication role related av-pair:
• ips-role=viewer
• ips-role=operator
• ips-role=administrator
• ips-role=service
Status Events
As part of the packet command restriction option, status events are triggered for the following actions:
• When an administrator enables or disables the packet command restriction.
• When an authorized user executes any of the restricted commands.
• When an unauthorized user executes any of the restricted commands.
To permit or restrict packet command restrictions, follow these steps:
Step 1 Log in to the sensor using an account with administrator privileges.
Step 2 Enter authentication submode.
sensor# configure terminal
sensor(config)# service authentication
sensor(config-aut)#
Step 3 Allow AAA RADIUS users with the correct av-pair (permit-packet-logging=true) and local users with
the correct privilege levels to execute all packet capture/display and IP log commands.
sensor(config-aut)# permit-packet-logging true
Note Existing CLI sessions are not affected by the changes made in restriction settings.
Step 4 Check your new setting.
sensor(config-aut)# show settings
attemptLimit: 0 <defaulted>
password-strength
-----------------------------------------------
size: 8-64 <defaulted>
digits-min: 0 <defaulted>
uppercase-min: 0 <defaulted>
lowercase-min: 0 <defaulted>
other-min: 0 <defaulted>
number-old-passwords: 0 <defaulted>
-----------------------------------------------
permit-packet-logging: true default: true
cli-inactivity-timeout: 0 <defaulted>