One desired feature in the Cisco Intrusion Prevention System (IPS) product line is the ability to centralize logins through the use of an external TACACS+ or RADIUS server. The Cisco MARS appliance, frequently coupled with one or more IPS sensors, obtained this capability in its 6.0 OS release more than two years ago. This article will explore the implementation of RADIUS on the IPS sensor as first implemented in OS 7.0.
Before the RADIUS implementation is explored, let’s briefly examine some of the key differences between RADIUS and TACACS+:
|Primary use||Admin. Access||General User access|
|Transport||TCP port 49||UDP ports 1645/1646* (non-IETF)
ports 1812/1813* (IETF)
|Authorization||Separate from||Combined w/ Authentication|
|Security||All packets encrypted||Only password encryption|
* – ports used for accounting
On most Cisco hardware with security features (IOS router, ASA, Catalyst switch, etc.), the TACACS+ protocol is preferred both for its greater protection, as well as its accounting of administrative activities.
Now, let’s explore the IPS 7.0 RADIUS configuration screen (shown below) when configured with IPS Device Manager:
Several points of interest here:
- There is “fallback” in case of the RADIUS servers being unresponsive
- Instead of a “server group” as is used with the IOS router and ASA security appliances, there is a Secondary RADIUS Server. This second option is usually hidden but visible if the double down arrow () is clicked
Once the RADIUS server is defined on the sensor (and the accompanying required definition is added on the RADIUS server pointing to the IPS sensor as a client), the user role must be defined if the Default User Role (shown in the screenshot above) is kept at its default value of Unspecified. This is accomplished on the Cisco ACS (Access Control Server) as shown below:
The key phrase which must be entered here is ips-role, which can have the values of administrator, operator, viewer, or service. As the next screenshot shows, the use of an external RADIUS server should be done over a secure “out-of-band” management channel, as the attributes are passed in the clear:
The ips-role attribute can be clearly seen in both the middle and bottom window panes of the Wireshark® trace.
One final note — there is no accounting performed in as much as messages are either being sent to the ACS or the ACS is recording the user as being logged in; consequently, the IPS administrator needs to examine the local logs.