Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2219
Views
0
Helpful
3
Replies

CSM 4.4SP2

Ian Cowley
Level 1
Level 1

‎02-17-2014 09:33 AM - edited ‎02-21-2020 05:06 AM

I have a situation where I have a number of ASA and IPS instances being managed from CSM 4.4sp2.

The credentials are validated via RADIUS to a Cisco ISE v1.2.

All the devices use the same account and credentials; and have been configured the same way.

The IPS responses's work fine but the ISE logs show that when the CSM attempts to logon to the ASA's it always tries a blank username first and then the correct credentials immediately (0.04s) afterwards.

The failed authentication

Any ideas!

0 Helpful
3 Replies 3

Ian Cowley
Level 1
Level 1

‎02-19-2014 09:24 AM

FYI and from our friends in TAC

The issue you reported is related to the legacy behavior of CSM which used the enable password with blank username.

  • •1.       There is a file DCS.properties located under CSCOpx\MDC\athena\config folder.
  • •2.       Please edit it and locate the following variable in there: DCS.useEnablePasswordFirstForFw=true
  • •3.       Change it to DCS.useEnablePasswordFirstForFw=false
  • •4.       Restart the CSM using 
    • •a.       net stop crmdmgtd
    • •b.       net start crmdmgtd

After the change CSM will not be attempting to first access the device with enable password if it is configured.

Here are results of the tests in my lab:

  • •1.       Username/password and enable with setting = TRUE

HTTP: Authentication username = ''

  • •2.       Username/password with setting = TRUE

HTTP: Authentication username = 'cisco'

  • •3.       Username/password and enable with setting = FALSE

HTTP: Authentication username = 'cisco'

  • •4.       Username/password with setting = FALSE

HTTP: Authentication username = 'cisco'

0 Helpful

Ian Cowley
Level 1
Level 1
In response to Ian Cowley

‎02-19-2014 09:40 AM

And I can confirm it works too.

IanC

0 Helpful

Ian Cowley
Level 1
Level 1
In response to Ian Cowley

‎02-20-2014 03:40 AM

Further for existing devices and reports:-

From the last screenshot the issue is not with adding a device to the CSM database for the first time but with periodic polling the devices by the server for report manager or HPM components for example.

What we have changed in DCS.properties is for initial deployment of the devices only.

With that in mind could you please do the following:

  • •1.       In CSCOpx\MDC locate a respective folder (depending on the component it is hpm or reports folders);
  • •2.       Open \config folder and locate ‘communication.properties’ file;
  • •3.       Change USE_ENABLE_PASSWORD_FIRST=true to USE_ENABLE_PASSWORD_FIRST=false;
  • •4.       Restart the server.

Thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card