Filter
Top Products
4-27
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
Configuring Authentication and User Parameters
Note For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no
password cisco command, but you cannot remove it. To use the no password cisco command, there
must be another administrator account on the sensor. Removing the cisco account through the service
account is not supported. If you remove the cisco account through the service account, the sensor most
likely will not boot up, so to recover the sensor you must reinstall the sensor system image.
To create the service account, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Enter configuration mode.
sensor# configure terminal
Step 3 Specify the parameters for the service account. The username follows the pattern
^[A-Za-z0-9()+:,_/-]+$, which means the username must start with a letter or number, and can include
any letter A to Z (capital or small), any number 0 to 9, - and _, and can contain 1 to 64 characters.
sensor(config)# user username privilege service
Step 4 Specify a password when prompted. A valid password is 8 to 32 characters long. All characters except
space are allowed. If a service account already exists for this sensor, the following error is displayed and
no service account is created.
Error: Only one service account may exist
Step 5 Exit configuration mode.
sensor(config)# exit
sensor#
When you use the service account to log in to the CLI, you receive this warning.
************************ WARNING *******************************************************
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. This account is intended to be
used for support and troubleshooting purposes only. Unauthorized modifications are not
supported and will require this device to be reimaged to guarantee proper operation.
****************************************************************************************
The Service Account and RADIUS Authentication
If you are using RADIUS authentication and want to create and use a service account, you must create
the service account both on your sensor and on the RADIUS server. You must use local authentication
to access the service account on the sensor. The service account must be created manually as a local
account on the sensor. Then when you configure RADIUS authentication, the service account must also
be configured manually on the RADIUS server with the accept message set to ips-role=service.
When you log in to the service account, you are authenticated against both the sensor account and the
RADIUS server account. By whatever method you use to access the service account—serial console
port, direct monitor/keyboard (for sensors that support it), or a network connection, such as SSH or
Telnet—you have to log in using local authentication.