cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

918
Views
0
Helpful
3
Replies
Highlighted
Beginner

CSM 4.4SP2

I have a situation where I have a number of ASA and IPS instances being managed from CSM 4.4sp2.

The credentials are validated via RADIUS to a Cisco ISE v1.2.

All the devices use the same account and credentials; and have been configured the same way.

The IPS responses's work fine but the ISE logs show that when the CSM attempts to logon to the ASA's it always tries a blank username first and then the correct credentials immediately (0.04s) afterwards.

The failed authentication

Any ideas!

Everyone's tags (5)
3 REPLIES 3
Highlighted
Beginner

CSM 4.4SP2

FYI and from our friends in TAC

The issue you reported is related to the legacy behavior of CSM which used the enable password with blank username.

  • •1.       There is a file DCS.properties located under CSCOpx\MDC\athena\config folder.
  • •2.       Please edit it and locate the following variable in there: DCS.useEnablePasswordFirstForFw=true
  • •3.       Change it to DCS.useEnablePasswordFirstForFw=false
  • •4.       Restart the CSM using 
    • •a.       net stop crmdmgtd
    • •b.       net start crmdmgtd

After the change CSM will not be attempting to first access the device with enable password if it is configured.

Here are results of the tests in my lab:

  • •1.       Username/password and enable with setting = TRUE

HTTP: Authentication username = ''

  • •2.       Username/password with setting = TRUE

HTTP: Authentication username = 'cisco'

  • •3.       Username/password and enable with setting = FALSE

HTTP: Authentication username = 'cisco'

  • •4.       Username/password with setting = FALSE

HTTP: Authentication username = 'cisco'

Highlighted
Beginner

CSM 4.4SP2

And I can confirm it works too.

IanC

Highlighted
Beginner

CSM 4.4SP2

Further for existing devices and reports:-

From the last screenshot the issue is not with adding a device to the CSM database for the first time but with periodic polling the devices by the server for report manager or HPM components for example.

What we have changed in DCS.properties is for initial deployment of the devices only.

With that in mind could you please do the following:

  • •1.       In CSCOpx\MDC locate a respective folder (depending on the component it is hpm or reports folders);
  • •2.       Open \config folder and locate ‘communication.properties’ file;
  • •3.       Change USE_ENABLE_PASSWORD_FIRST=true to USE_ENABLE_PASSWORD_FIRST=false;
  • •4.       Restart the server.

Thank you.