Thursday, October 25, 2007

Unlocking User Accounts via the CLI

As promised, a short article on unlocking user accounts via the CLI.

MARS 4.3.1 introduced the new AAA features.

For both Local or AAA authentication methods, if enabled, GUI access is locked for an account upon login failure, which occurs when a specified number of incorrect password entries are made for a single login name.

Now an important thing to note. The administrator GUI access can be locked like any other account. BUT, the CLI access through the console or through SSH is never locked. (Good job or you could be completely locked out your MARS box!)

Now from the CLI we can unlock single accounts or all accounts at the same time, the switches on the unlock command are shown below...


And an example of unlocking all accounts is shown at the top of the page, and an example of an individual account is shown below..

Now remember we can unlock individual user accounts in the CLI also, as long as the admin GUI account isn't locked.

Some other important notes regarding global controllers....

Unlocking is not replicated through Global Controller–Local Controller communications, it applies only to the local appliance. An account locked on a Global Controller does not replicate the locked status to global accounts on Local Controllers. A global account locked on two different appliances must be unlocked manually on each appliance.

Tuesday, October 09, 2007

MARS AAA with Microsoft IAS

I was going to do a write up on configuring the new MARS 4.3.1 AAA authentication feature with Cisco ACS.

But to be honest, there is a great write up in the official MARS documentation on doing just that, so in this article i`ll show you how to configure AAA with Microsoft IAS Server, for those of you who dont own an ACS Box.

We'll use Microsoft IAS, and if you dont know, this is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server, which comes built into Windows 2000 Server and Windows Server 2003.

I`m not going to go through installing IAS, but theres plenty of guides to doing this on the web.

Lets start by adding a new RADIUS Client...


Now Click Next, and select Cisco for the Client-Vendor, and enter a shared key that the two devices will share for the authentication process.

Next, we need to create a remote access policy. For ease, we will create a new one, and delete any existing predefined entries.

1. In the Internet Authentication Service window, click Remote Access Policies in the left pane.
2. In the right pane, right-click the default policy, and select Delete.
3. Right-click, and select New Remote Access Policy.
4. In the Remote Access Policy Wizard, click Next.
5. Click Set Up A Custom Policy, name it Cisco MARS, and click Next.
6. Click Add, select Windows-Groups, and click Add


Specifiy a Windows group, and click OK. This takes you to the Policy Conditions screen of the New Remote Access Policy Wizard



1. Click Next, select Grant Remote Access Permission, and click Next.
2. Click Edit Profile, and select the Authentication tab.
3. Only select the Unencrypted Authentication (PAP/SPAP) check box



  1. Next, select the Advanced tab.
  2. Select Service-Type, and click Edit.
  3. In the Enumerable Attribute Information dialog box, select Login from the Attribute Value drop-down list.

Back on the Advanced tab, select Framed-Protocol, and click Remove.


Click OK, and its done!
Oh, and one point, make sure you have allowed Dial-In rights, on the User, under AD Users and Computers.

Now the MARS Bit....

Now the first thing i would do is create user accounts in MARS, for the users you want AAA access. I know this seems weird, but you will see why later! Also make sure you create these case perfect to your windows accounts.

Once done, you can configure the MS IAS Server in MARS...

This is quite simple, go to Admin/Authentication Configuration...


Now under AAA Server Configuration select ADD...


And, Add AAA Server on a new host..


Fill in the IP`s etc, then click Next. Now click, ADD again for a Generic AAA Server..


Now specify the name, and Shared Key we specified earlier in the IAS Config, along with the Radius Server ports. I used, 1812 and 1813.

Now Click Test Connectivity, which will result, in either a Failure, if any of the parameters are wrong (especially the shared key), or success...


If Success, enter a windows user name and password to test the authentication process.

Once done, we can then set MARS to use AAA for logins...

Under Admin/Authentication Configuration, specify the IAS Server as the authentication method, and optionally set a lock out.

Once you click Submit, MARS will delete all the local User passwords you created earlier (except Admins).....


This will create an incident...


And thats it, all the MARS configuration done.

Now there are a couple of bits of note, to tell you about. To remove the IAS Server, you cannot do this via the normal Security and Monitor devices. If you try you will get this error...


Instead, delete the IAS Server, via the Authentication Configuration screen.

Logging on the Microsoft IAS is pretty poor...

And these will be obviously stored on the Windows Box, and not MARS! Obviously with ACS and the agent, you can get the logs back into MARS, but Windows does not have a native Syslog engine.

So you could run a query with the PNMARS device, for account logins...

Also a bug you should be aware about in the GUI when using AAA services, is that your user accounts may appear "locked", even if you do not use a Lock Out policy...


And err....


This does not effect the AAA function in anyway, and should be fixed in the next release.

Now this method worked fine in the lab, if you make a complete hash of the above dont blame me! :-)

In the next article i show you some CLI commands, to unlock user accounts.

Tuesday, October 02, 2007

642-544 cisco MARS Exam

I get a lot of visitors to the Blog via the keyword 642-544, so I thought i`d give the new MARS exam another mention.

The MARS exam is part of the Cisco CCSP Certification Track, and there are a couple of training courses available in the official Instructor Led Course or 3rd Party Hands On Real World Training Course by Priveon.

There are also two books available, Security Threat Mitigation and Response: Understanding Cisco Security MARS and Security Monitoring with Cisco Security MARS.

The Cisco Press website, only recommends the first book though.

Another useful resource is the Cisco MARS User Group, where there are now over 430 members.

Exam Topics

The following topics are general guidelines for the content likely to be included on the Remote Access exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes, the guidelines below may change at any time without notice.

Install and configure the Cisco Security MARS product

  • Identify the components, features and functions of the Cisco Security MARS product
  • Describe the process of installing the Cisco Security MARS appliance
  • Add Cisco reporting devices into the Cisco Security MARS appliance
  • Add non-Cisco reporting devices into the Cisco Security MARS appliance
  • Investigate events that the Cisco Security MARS appliance collects from configured security devices
  • Configure the Cisco Security MARS appliance to send alerts
  • Create and view a long-duration query on the Cisco Security MARS appliance
  • Configure rules to detect interesting patterns of network activity and other anomalous network behavior
  • Use the management features in the Cisco Security MARS appliance to assign event, addressing, service, and user information
  • Configure the Cisco Security MARS appliance hardware maintenance activities
  • Utilize the Global Controller to manage multiple Cisco Security MARS appliances
Good luck with the Exam!

Monday, October 01, 2007

UK Email and Web Security Seminars

For readers in the UK, there are still some limited spaces available, this week and next, at a Cisco/Ironport Email and Web Security event.

"Satisnet in conjunction with Cisco invite you to a seminar aimed at educating you on the Ironport solutions and how they can save you time and money in terms of managing your messaging and web environment and enabling sophisticated secure business messaging and document delivery."

Flyers, and registration details are available below....

London, Cisco, Bedfont Lakes, Wednesday 3rd October 2007

Manchester, Cisco, Didsbury Offices, Tuedday 9th October 2007

There will also be a chance to see Cisco MARS in action on both days at these events.