35-19
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter3 5 Getting Started with IPS Configuration
Managing User Accounts and Password Requirements
Configuring AAA Access Control for IPS Devices
Use the AAA policy to configure AAA access control for your IPS devices. The device must use IPS
Software release 7.0(4) or above or 7.1.3 or above to configure AAA; for example, neither 7.1.1 nor 7.1.2
supports AAA.
You can configure the IPS device to use a RADIUS AAA server to authenticate user access to the device.
By configuring AAA, you can reduce the number of local users defined on the device and take advantage
of your existing RADIUS setup. If you configure a AAA server, you can configure the device to allow
local user accounts as a fallback mechanism if the RADIUS servers are unavailable.
When configuring AAA, you identify the RADIUS server using a AAA server policy object. You can
create the object while configuring the policy, or you can create it in the Policy Object Manager. When
you configure the AAA server object, you must adhere to the following restrictions:
Host—You must specify the IP address; you cannot use a DNS name.
Timeout—If you enter a timeout value, it must be from 1 to 512 seconds. The generic AAA server
object allows higher numbers, but IPS has a more limited timeout range. The default is 3.
Protocol—RADIUS is the only supported protocol.
Table35-5 Password Requirements Policy
Element Description
Attempt Limit How many times a user is allowed to try to log into the device before
you lock the user account due to excessive failed attempts.
The default is 0, which indicates unlimited authentication attempts. For
security purposes, you should change this number.
Size Range The minimum and maximum size allowed for user passwords; separate
the minimum and maximum with a hyphen. The range is 6 to 64
characters; the default is 8-64.
Tip If you configure non-zero values for any of the minimum
characters options, the minimum size you enter in the Size
Range field must be equal to or greater than the sum of those
values. For example, you cannot set a minimum password size
of eight and also require that passwords must contain at least
five lowercase and five uppercase characters.
Minimum Digit Characters The minimum number of numeric digits that must be in a password.
Minimum Uppercase
Characters
The minimum number of uppercase alphabet characters that must be in
a password.
Minimum Lowercase
Characters
The minimum number of lowercase alphabet characters that mus t be in
a password.
Minimum Other Characters The minimum number of non-alphanumeric printable characters that
must be in a password.
Number of Historical
Passwords
The number of historical passwords that you want the sensor to
remember for each account. Any attempt to change the password of an
account fails if the new password matches any of the remembered
passwords. If you specify 0, no previous passwords are remembered.