Filter
Top Products
35-15
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 35 Getting Started with IPS Configuration
Managing User Accounts and Password Requirements
Because Security Manager configures even unchanged passwords, all managed passwords must
satisfy the password requirements defined in the Password Requirements policy.
Thus, you can have a mix of managed and unmanaged account passwords. For example, you can have a
set of shared user accounts that are centrally managed, and manage these account passwords in Security
Manager. Other accounts might be unique to individuals; if you never edit these account passwords in
Security Manager, the user can manage these passwords individually on the device.
Tip If you do not want to manage any user accounts in Security Manager, ensure that the User Accounts
policy is empty, or simply unassign the policy (right-click the policy and select Unassign Policy).
Security Manager will not modify user account configurations.
Understanding How IPS Passwords are Discovered and Deployed
Because user passwords are encrypted on IPS devices, Security Manager has to handle them with special
care when discovering policies on the device or deploying configurations. When discovering or
deploying user accounts on IPS devices, Security Manager does the following:
• Discovery—When you add an IPS device to the inventory, or rediscover policies on it, Security
Manager determines the current status of each user account, updates the User Account policy with
each discovered username and associated role, and marks the user password as unmanaged (as
described in Understanding Managed and Unmanaged IPS Passwords, page 35-14).
You cannot view the account status through Security Manager, because it is dynamic and can
change. However, the Discovery Status window displays the status at discovery. Accounts can have
these statuses:
–
Active—This state indicates that the account is available for use. Active accounts can be
accessed using an authentication token if one has been assigned to the account.
–
Expired—This state indicates that the account’s authentication token has expired and the
account can not be accessed using a token until the token has been updated.
–
Locked—This state indicates that logins to the account have been disabled due to too many
failed authentication attempts. You should update the password for these accounts.
• Deployment—You are warned if any deployed user accounts are in the Expired or Locked state.
Any unmanaged passwords are not deployed to the device. Also, keep in mind the following points:
–
If you make changes to any user account on the device, all user accounts with managed
passwords are reconfigured. If you also changed the Password Requirements policy, all
passwords are compared to the new policy and must meet the new requirements.
–
If you change the password of the user account you defined in the device’s properties for
Security Manager to use when configuring the device, after successful deployment, Security
Manager updates the password in the device properties to the new password. You do not need
to manually update the password. To see device properties, select Tools > Device Properties.
This behavior assumes that you selected Security Manager Device Credentials for the
Connect to Device Using option on the Tools > Security Manager Administration > Device
Communication page. If you are using the logged-in users credentials for deployment, after
successful deployment, the overall deployment is marked as failed, and a message explains how
to reestablish connection. See Device Communication Page, page 11-16.
–
If you use out-of-band change detection, changes to passwords are not detected. However,
changes to usernames and roles are detected. For more information about out-of-band change
detection, see Detecting and Analyzing Out of Band Changes, page 8-46.