Filter
Top Products
4-19
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 4 Setting Up the Sensor
Configuring Authentication and User Parameters
You can configure a primary RADIUS server and a secondary RADIUS server. The secondary RADIUS
server authenticates and authorizes users if the primary RADIUS server is unresponsive.
You can also configure the sensor to use local authentication (local fallback) if no RADIUS servers are
responding. In this case, the sensor authenticates against the locally configured user accounts. The
sensor will only use local authentication if the RADIUS servers are not available, not if the RADIUS
server rejects the authentication requests of the user. You can also configure how users connected
through the console port are authenticated—through local user accounts, through RADIUS first and if
that fails through local user accounts, or through RADIUS alone.
To configure a RADIUS server, you must have the IP address, port, and shared secret of the RADIUS
server. You must also either have the NAS-ID of the RADIUS server, or have the RADIUS server
configured to authenticate clients without a NAS-ID or with the default IPS NAS-ID of cisco-ips.
Note Enabling RADIUS authentication on the sensor does not disconnect already established connections.
RADIUS authentication is only enforced for new connections to the sensor. Existing CLI, IDM, and IME
connections remain established with the login credentials used prior to configuring RADIUS
authentication. To force disconnection of these established connections, you must reset the sensor after
RADIUS is configured.
RADIUS Authentication Options
Use the aaa command in service aaa submode to configure either local authentication or authentication
using a RADIUS server. The following options apply:
• local—Lets you specify local authentication. To continue to create users, use the password
command.
• radius—Lets you specify RADIUS as the method of authentication:
–
nas-id—Identifies the service requesting authentication. The value can be no nas-id, cisco-ips,
or a NAS-ID already configured on the RADIUS server. The default is cisco-ips.
–
default-user-role—Lets you assign a default user role on the sensor that is only applied when
there is NOT a Cisco av pair specifying the user role. The value can be unspecified, viewer,
operator, or administrator. Service cannot be the default user role. The default is unspecified.
If you do not want to configure a default user role on the sensor that is applied in the absence
of a Cisco av pair, you need to configure the Cisco IOS/PIX 6.x RADIUS Attributes [009\001]
cisco-av-pair under the group or user profile with one of the following options:
ips-role=viewer, ips-role=operator, ips-role=administrator, ips-role=service, or
ips-role=unspecified. The default is ips-role=unspecified.
Note If the sensor is not configured to use a default user role and the sensor user role
information in not in the Accept Message of the CiscoSecure ACS server, the sensor
rejects RADIUS authentication even if the CiscoSecure ACS server accepts the
username and password.
Note The default user role is used only when the user has not been configured with a specific
role on the ACS server. Local users are always configured with a specific role so the
default user role will never apply to locally authenticated users.