Cisco Systems IPS4510K9 manual Radius Authentication Options

Chapter 3 Setting Up the Sensor

Configuring Authentication and User Parameters

You can also configure the sensor to use local authentication (local fallback) if no RADIUS servers are responding. In this case, the sensor authenticates against the locally configured user accounts. The sensor will only use local authentication if the RADIUS servers are not available, not if the RADIUS server rejects the authentication requests of the user. You can also configure how users connected through the console port are authenticated—through local user accounts, through RADIUS first and if that fails through local user accounts, or through RADIUS alone.

To configure a RADIUS server, you must have the IP address, port, and shared secret of the RADIUS server. You must also either have the NAS-ID of the RADIUS server, or have the RADIUS server configured to authenticate clients without a NAS-ID or with the default IPS NAS-ID of cisco-ips.

Note Enabling RADIUS authentication on the sensor does not disconnect already established connections. RADIUS authentication is only enforced for new connections to the sensor. Existing CLI, IDM, and IME connections remain established with the login credentials used prior to configuring RADIUS authentication. To force disconnection of these established connections, you must reset the sensor after RADIUS is configured.

RADIUS Authentication Options

Use the aaa command in service aaa submode to configure either local authentication or authentication using a RADIUS server.

The following options apply:

•local—Lets you specify local authentication. To continue to create users, use the password command.

•radius—Lets you specify RADIUS as the method of authentication:

–nas-id—Identifies the service requesting authentication. The value can be no nas-id, cisco-ips, or a NAS-ID already configured on the RADIUS server. The default is cisco-ips.

–default-user-role—Lets you assign a default user role on the sensor that is only applied when there is NOT a Cisco av pair specifying the user role. The value can be unspecified, viewer, operator, or administrator. Service cannot be the default user role. The default is unspecified.

If you do not want to configure a default user role on the sensor that is applied in the absence of a Cisco av pair, you need to configure the Cisco IOS/PIX 6.x RADIUS Attributes [009\001] cisco-av-pair under the group or user profile with one of the following options: ips-role=viewer, ips-role=operator, ips-role=administrator, ips-role=service,or ips-role=unspecified. The default is ips-role=unspecified.

Note If the sensor is not configured to use a default user role and the sensor user role information in not in the Accept Message of the CiscoSecure ACS server, the sensor rejects RADIUS authentication even if the CiscoSecure ACS server accepts the username and password.

Note The default user role is used only when the user has not been configured with a specific role on the ACS server. Local users are always configured with a specific role so the default user role will never apply to locally authenticated users.

–local-fallback {enabled disabled}—Lets you default to local authentication if the RADIUS servers are not responding. The default is enabled.