Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
378
Views
0
Helpful
3
Replies

Cisco IDS 4.1 - Problem with RDEP

a.arndt
Level 3
Level 3

‎02-05-2004 09:39 AM - edited ‎03-09-2019 06:20 AM

I've been having a problem with RDEP.

My IDS event collection clients collect alarms from the IDS sensors using RDEP. This is essentially, as I understand it anyway, an argument passed to the sensor via a cgi script to dump the info from the IdsEventStore via HTTPS.

HTTPS is also used to connect to the sensor in order to configure it via IDM. In both cases, the requesting client is authenticated via a username/password pair.

Experience has shown that only one user can be logged into the sensor via HTTPS (SSL/TLS) at any time. So here's the problem:

If my RDEP client is happily collecting data and I use a browser to connect to IDM on the sensor, I receive an error stating "User limit has been reached

The maximum number of allowed users are currently logged in to IDM. Please try again later, or click here to force login." If I force the login, it can be assumed that I'll cause the RDEP client's connection to be severed.

Conversely, if I'm logged into IDM via a browser, my RDEP client will receive the same message and, being automated, will lack the ability to gather IDS alarms until I properly logout of the IDM interface on the sensor.

This functionality is defined somewhere, but I'm not too sure where. Does anyone have any suggestions on how (and if, for that matter) this can be modified to allow a maximum of two logins instead of the default one?

Labels:
0 Helpful
3 Replies 3

rmulyadi
Level 1
Level 1

‎02-05-2004 10:27 AM

It seems that you are using an administrator privilege user in your RDEP client. You can create a new viewer privilege user for your RDEP client and this will solve the problem since the IDS only allow 1 administrator login at a time.

0 Helpful

a.arndt
Level 3
Level 3
In response to rmulyadi

‎02-05-2004 10:44 AM

Thanks for the reply, however my testing indicates that using a "viewer" privileged user instead of an "administrator" user doesn't change a thing.

No matter what the privilege level of the user logging in, either as an RDEP client or an IDM interactive user, the sensor is still only allow one login at a time and will not permit two or more simultaneous logins.

Again, is there anyway to change the settings on the sensor to allow more than one authenticated login via SSL/TLS?

0 Helpful

kleem
Cisco Employee
Cisco Employee

‎02-05-2004 11:49 AM

I suspect that you client does not support cookies as described in the RDEP specification (available on CCO). If you do not pass back the cookie that the Sensor provides when authentication initally takes place, every subsequent get will cause you to reauthenticate. The server supports a limited number (16) of sesions and so you will rapidly use up the available sessions if you are reauthenticating with every get. The Sensor will reuse the oldest, least used session if a new authentication request comes in.

IDM will use one of these sessions and is vulnerable to being bumped off if all the subscriptions are used. It will not be bumped off by a single RDEP connection. A separate threshold limits the number of users logged into IDM to 1.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents