Support User Manuals

Cisco Systems IPS 7.1 Home Security System User Manual

Open as PDF

of 1042

4-25

Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1

OL-19892-01

Chapter 4 Setting Up the Sensor

Configuring Authentication and User Parameters

The following options apply:

• permit-packet-logging true—Allows users to execute packet-related commands based on privilege

level.

• permit-packet-logging false—Restricts all users from executing any packet-related commands.

AAA RADIUS Users

AAA RADIUS users with the correct av-pair are authorized to execute packet capture/display and IP

logging commands. RADIUS users with no av-pair value are restricted. The correct av-pair,

permit-packet-logging=true, allows users to execute packet-related commands based on privilege

level. This av-pair is in addition to the authentication role related av-pair:

• ips-role=viewer

• ips-role=operator

• ips-role=administrator

• ips-role=service

Status Events

As part of the packet command restriction option, status events are triggered for the following actions:

• When an administrator enables or disables the packet command restriction.

• When an authorized user executes any of the restricted commands.

• When an unauthorized user executes any of the restricted commands.

To permit or restrict packet command restrictions, follow these steps:

Step 1 Log in to the sensor using an account with administrator privileges.

Step 2 Enter authentication submode.

sensor# configure terminal

sensor(config)# service authentication

sensor(config-aut)#

Step 3 Allow AAA RADIUS users with the correct av-pair (permit-packet-logging=true) and local users with

the correct privilege levels to execute all packet capture/display and IP log commands.

sensor(config-aut)# permit-packet-logging true

Note Existing CLI sessions are not affected by the changes made in restriction settings.

Step 4 Check your new setting.

sensor(config-aut)# show settings

attemptLimit: 0 <defaulted>

password-strength

-----------------------------------------------

size: 8-64 <defaulted>

digits-min: 0 <defaulted>

uppercase-min: 0 <defaulted>

lowercase-min: 0 <defaulted>

other-min: 0 <defaulted>

number-old-passwords: 0 <defaulted>

-----------------------------------------------

permit-packet-logging: true default: true

cli-inactivity-timeout: 0 <defaulted>

previous next