Monitoring and alerting on failed authentication attempts is
a crucial part of a security strategy. Failed authentication events may be a
result of someone trying to guess or brute force passwords. ACS is
used for controlling access to network devices such as switches, routers,
firewalls as well as authenticating VPN connections and wireless access. Authentication
failures from ACS could alert us of an attacker trying to establish remote connection
over VPN or trying to penetrate our wireless.
We’ll need 3 separate alarms to notify us of:
Attempts to access network devices (TACACS+ authentication failures )
Attempts to penetrate wireless or VPN (RADIUS
authentication failures)
Attempts to access ACS admin interface (ACS
Instance authentication failures)
To configure alerting we need to go to:
“Monitoring and Reports” -> “Launch Monitoring &
Report Viewer”
“Alarms” -> “Thresholds”
1.
Configuring TACACS+ authentication failures alerts
a.
Click “Create”
b.
Specify alarm name
c.
Leave “Schedule” at default value of “nonstop”
d.
Go to “Criteria” page
e.
Under “Category” select “Failed Authentications”
f.
Under “Failed Authentications greater than”
specify desired value of occurrences
g.
Under “In the past” specify desired time
h.
Select for an “Access Service”
i.
Set “Protocol” to “TACACS+”
j.
On “Notification” page
k.
Set desired “Severity”
l.
Configure either email notification or syslog
message or both
m.
Click “Submit”
2.
Configuring RADIUS authentication failures alerts
Procedure is the same as for TACACS+ but protocol must be set to RADIUS.
3.
Configuring ACS Instance authentication failures
alerts
Once again procedure is the same as above but we select “ACS Instance”
instead of “Access Service”
Now it would be a good idea to test if alerting works by attempting to login with incorrect password.
Comments
Post a Comment