Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1487
Views
5
Helpful
3
Replies

LMS and ACS intergration

Go to solution
wharrison2000
Level 1
Level 1

‎11-05-2010 03:04 PM

Currently we have a ACS 4.2 install in our infrastructure.  We are rolling out Ciscoworks 3.1 and are thinking of upgrading to 4.0.

Is there a set of recommendations for SNMPv3 and AAA?  More specifically, we are considering RBAC controls and wondering about standards for AAA authorization should be used?  Also what standards for the read write views? Finally syslogging commands.  Is logging informational too much or is logging events better.

Thanks

wharrison2000

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to wharrison2000

‎11-08-2010 11:01 PM

Here's a good article on securing SNMP (including SNMPv3):

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml

As for assigning AAA permissions, all of this is done on ACS.  All you need to do is enable command authorization.  For example:

aaa authorization commands 15 default group tacacs+

You will need to make sure you allow the following commands, though:

terminal length 0

terminal width 0

show privilege

show running-config

show startup-config

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎11-06-2010 09:02 PM

If you are considering upgrading to LMS 4.0, then ACS isn't really a consideration.  While LMS 4.0 can use any TACACS+ server for authentication (including ACS), the authorization will be handled internally to LMS.  That is, no ACS integration is required.

There really isn't any leading practice when it comes to SNMPv3.  It depends on what you want to protect.  If protecting the credentials is sufficient, then you can stick with authNoPriv.  In this case, the SHA-1 hash will offer a bit more security.  If you do want to encrypt the SNMP payload, consider using AES-128 as the privacy algorithm as it is more standard.

With syslog, it really depends on the messages you need to log as to what logging level you should use.  Are there any informational messages you need to log that are critical to your organization.  If so, then you definitely need to go with logging level 6.  If everything you need is sev 5 and higher, then stick notifications.

Go to solution
wharrison2000
Level 1
Level 1
In response to Joe Clarke

‎11-08-2010 07:34 PM

Joseph,

Thanks for your reply!!!!!  So let me restate a portion of my question.  Given ACS 4.2 and LMS 3.1, could you point me to a link with the configuration examples or samples in regards to SNMPv3 and Tacacs portions?  For example, I want to control what "ACS USER" maybe able do with the NetConfig or Config Editor portion of LMS.  Given that thought, what variables would be a good standard for "aaa authorization exec" ?

I know I'm being somewhat vague but I'm trying to avoid the trial and error method.

Again thanks for your time

wharrison2000

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to wharrison2000

‎11-08-2010 11:01 PM

Here's a good article on securing SNMP (including SNMPv3):

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094489.shtml

As for assigning AAA permissions, all of this is done on ACS.  All you need to do is enable command authorization.  For example:

aaa authorization commands 15 default group tacacs+

You will need to make sure you allow the following commands, though:

terminal length 0

terminal width 0

show privilege

show running-config

show startup-config

0 Helpful
Customers Also Viewed These Support Documents