Filter
Top Products
A-31
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix A System Architecture
CLI
–
Assignment of physical sensing interfaces
–
Enable or disable control of physical interfaces
–
Add and delete users and passwords
–
Generate new SSH host keys and server certificates
• Service—Only one user with service privileges can exist on a sensor. The service user cannot log in
to the IDM or the IME. The service user logs in to a bash shell rather than the CLI.
The service role is a special role that allows you to bypass the CLI if needed. Only one service
account is allowed. You should only create an account with the service role for troubleshooting
purposes. Only a user with administrator privileges can edit the service account.
When you log in to the service account, you receive the following warning:
************************ WARNING *************************************************
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
This account is intended to be used for support and troubleshooting purposes only.
Unauthorized modifications are not supported and will require this device to be
re-imaged to guarantee proper operation.
**********************************************************************************
Note For IPS 5.0 and later, you can no longer remove the cisco account. You can disable it using the no
password cisco command, but you cannot remove it. To use the no password cisco command, there
must be another administrator account on the sensor. Removing the cisco account through the service
account is not supported. If you remove the cisco account through the service account, the sensor most
likely will not boot up, so to recover the sensor you must reinstall the sensor system image.
Service Account
The service account is a support and troubleshooting tool that enables the TAC to log in to a native
operating system shell rather than the CLI shell. It does not exist on the sensor by default. You must
create it so that it is available for the TAC to use for troubleshooting your sensor.
Only one service account is allowed per sensor and only one account is allowed a service role. When the
password of the service account is set or reset, the password of the root account is set to the same
password. This allows the service account user to su to root using the same password. When the service
account is removed, the password of the root account is locked.
The service account is not intended to be used for configuration purposes. Only modifications made to
the sensor through the service account under the direction of the TAC are supported. Cisco Systems does
not support the addition and/or running of an additional service to the operating system through the
service account, because it affects proper performance and proper functioning of the other IPS services.
The TAC does not support a sensor on which additional services have been added.
You can track logins to the service account by checking the log file /var/log/.tac, which is updated with
a record of service account logins.
Note The Cisco IPS incorporates several troubleshooting features that are available through the CLI, IDM, or
IME. The service account is not necessary for most troubleshooting situations. You may need to create
the service account at the direction of TAC to troubleshoot a very unique problem. The service account
lets you bypass the protections built into the CLI and allows root privilege access to the sensor, which is
otherwise disabled. We recommend that you do not create a service account unless it is needed for a
specific reason. You should remove the service account when it is no longer needed.