cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1228
Views
5
Helpful
3
Replies
wharrison2000
Beginner

LMS and ACS intergration

Currently we have a ACS 4.2 install in our infrastructure.  We are rolling out Ciscoworks 3.1 and are thinking of upgrading to 4.0.

Is there a set of recommendations for SNMPv3 and AAA?  More specifically, we are considering RBAC controls and wondering about standards for AAA authorization should be used?  Also what standards for the read write views? Finally syslogging commands.  Is logging informational too much or is logging events better.

Thanks

wharrison2000

1 ACCEPTED SOLUTION

Accepted Solutions
Joe Clarke
Hall of Fame Cisco Employee

Here's a good article on securing SNMP (including SNMPv3):

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml

As for assigning AAA permissions, all of this is done on ACS.  All you need to do is enable command authorization.  For example:

aaa authorization commands 15 default group tacacs+

You will need to make sure you allow the following commands, though:

terminal length 0

terminal width 0

show privilege

show running-config

show startup-config

View solution in original post

3 REPLIES 3
Joe Clarke
Hall of Fame Cisco Employee

If you are considering upgrading to LMS 4.0, then ACS isn't really a consideration.  While LMS 4.0 can use any TACACS+ server for authentication (including ACS), the authorization will be handled internally to LMS.  That is, no ACS integration is required.

There really isn't any leading practice when it comes to SNMPv3.  It depends on what you want to protect.  If protecting the credentials is sufficient, then you can stick with authNoPriv.  In this case, the SHA-1 hash will offer a bit more security.  If you do want to encrypt the SNMP payload, consider using AES-128 as the privacy algorithm as it is more standard.

With syslog, it really depends on the messages you need to log as to what logging level you should use.  Are there any informational messages you need to log that are critical to your organization.  If so, then you definitely need to go with logging level 6.  If everything you need is sev 5 and higher, then stick notifications.

Joseph,

Thanks for your reply!!!!!  So let me restate a portion of my question.  Given ACS 4.2 and LMS 3.1, could you point me to a link with the configuration examples or samples in regards to SNMPv3 and Tacacs portions?  For example, I want to control what "ACS USER" maybe able do with the NetConfig or Config Editor portion of LMS.  Given that thought, what variables would be a good standard for "aaa authorization exec" ?

I know I'm being somewhat vague but I'm trying to avoid the trial and error method.

Again thanks for your time

wharrison2000

Joe Clarke
Hall of Fame Cisco Employee

Here's a good article on securing SNMP (including SNMPv3):

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml

As for assigning AAA permissions, all of this is done on ACS.  All you need to do is enable command authorization.  For example:

aaa authorization commands 15 default group tacacs+

You will need to make sure you allow the following commands, though:

terminal length 0

terminal width 0

show privilege

show running-config

show startup-config

View solution in original post