Filter
Top Products
35-20
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 35 Getting Started with IPS Configuration
Managing User Accounts and Password Requirements
• Key— You must specify the shared secret key that is defined on the RADIUS server. Although this
field is optional for a generic AAA server object, IPS requires a key.
• Port—Ensure that the RADIUS Authentication/Authorization port is correct. Note that the default
port in the AAA server object is different from the IPS default, which is 1812. You will need to
change the port if you want to use the IPS default.
For more information about configuring AAA server objects, see Creating AAA Server Objects,
page 6-29.
Tip You must ensure that the user account configured in the device properties exists in the RADIUS server
or as a local user account, depending on the authorization method that you use. If you switch between
local and AAA modes, or change AAA servers, you must ensure that the account is defined in whatever
user account database you are using. If you are using AAA with local fallback, the account should be
defined in all databases. This account must exist, with the same password defined in the Security
Manager device properties for the device, or deployment to the device will fail. The user account used
for discovery and deployment must have administrator privileges.
Related Topics
• Managing User Accounts and Password Requirements, page 35-13
• Configuring IPS User Accounts, page 35-16
Step 1 Do one of the following:
• (Device view) Select Platform > Device Admin > Device Access > AAA from the Policy selector.
• (Policy view) Select IPS > Platform > Device Admin > AAA, then select an existing policy or
create a new one.
Step 2 Configure the following basic properties:
• Authentication Mode—Whether to use Local or AAA mode. Local mode uses user accounts
defined on the IPS device only. With AAA mode, the RADIUS servers are the primary means of user
authentication, and you can configure local user accounts as a fallback mechanism. The default is
Local. You must select AAA to configure any other options in this policy.
• Primary RADIUS Server, Secondary RADIUS Server—The main (primary) AAA server and a
backup server, if any. Enter the name of the AAA server policy object that identifies the RADIUS
server, or click Select to select it from a list of objects or to create a new object.
When authenticating users, the IPS device sends the user authentication attempt to the primary
server. The secondary server is contacted only if the request to the primary server times out.
Step 3 Configure the following optional properties if you want non-default values:
• Console Authentication—How you want to authenticate users who access the IPS device through
the console:
–
Local—Users connected through the console port are authenticated through local user accounts.
–
Local and RADIUS—Users connected through the console port are authenticated through
RADIUS first. If RADIUS fails, local authentication is attempted.
–
RADIUS—Users connected through the console port are authenticated by RADIUS. If you also
select Enable Local Fallback, then users can also be authenticated through the local user
accounts.