Monitoring Cisco Secure ACS 5 for authentication failures

Monitoring and alerting on failed authentication attempts is a crucial part of a security strategy. Failed authentication events may be a result of someone trying to guess or brute force passwords.   ACS is used for controlling access to network devices such as switches, routers, firewalls as well as authenticating VPN connections and wireless access. Authentication failures from ACS could alert us of an attacker trying to establish remote connection over VPN or trying to penetrate our wireless.

We’ll need 3 separate alarms to notify us of:

Attempts to access network devices (TACACS+ authentication failures )
      Attempts to penetrate wireless or VPN (RADIUS authentication failures)
          Attempts to access ACS admin interface (ACS Instance authentication failures)

To configure alerting we need to go to:
“Monitoring and Reports” -> “Launch Monitoring & Report Viewer”
 “Alarms” -> “Thresholds”

1.       Configuring TACACS+ authentication failures alerts
a.       Click “Create”
b.      Specify alarm name
c.       Leave “Schedule” at default value of “nonstop”

d.      Go to “Criteria” page
e.      Under “Category” select “Failed Authentications”
f.        Under “Failed Authentications greater than” specify desired value of occurrences
g.       Under “In the past” specify desired time
h.      Select for an “Access Service”

i.         Set “Protocol” to “TACACS+”

j.        On “Notification” page
k.       Set desired “Severity”
l.         Configure either email notification or syslog message or both
m.    Click “Submit”

2.       Configuring RADIUS authentication failures alerts
Procedure is the same as for TACACS+ but protocol must be set to RADIUS.

3.       Configuring ACS Instance authentication failures alerts
Once again procedure is the same as above but we select “ACS Instance” instead of “Access Service”

Now it would be a good idea to test if alerting works by attempting to login with incorrect password.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.