Cisco Networking Services Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
Cisco Networking Services Security Enhancement
Downloads: This chapterpdf (PDF - 1.15MB) The complete bookPDF (PDF - 2.94MB) | The complete bookePub (ePub - 292.0KB) | Feedback

Cisco Networking Services Security Enhancement

Cisco Networking Services Security Enhancement

The Cisco Networking Services Security Enhancement feature improves the security of Cisco Networking Services messages by authenticating sender credentials through the use of the SOAP message format.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About Cisco Networking Services Security Enhancement

Cisco Networking Services Security Enhancement

Cisco Networking Services messages can be configured to use the Cisco Networking Services SOAP message structure, in which the username and password are authenticated.

If authentication, authorization, and accounting (AAA) is configured, then Cisco Networking Services SOAP messages will be authenticated with AAA. If AAA is not configured, there will be no authentication. For backward compatibility, Cisco Networking Services will support the existing non-SOAP message format and will respond accordingly without security.

The cns aaa authentication command is required to turn on Cisco Networking Services Security Enhancement. This command determines whether the Cisco Networking Services messages are using AAA security or not. If the cns aaa authentication command is configured, then all incoming SOAP messages into the device are authenticated by AAA.

Cisco Networking Services Trusted Servers

Use the cns trusted-server command to specify a trusted server for an individual Cisco Networking Services agent or for all the Cisco Networking Services agents. To avoid security violations, you can build a list of trusted servers from which Cisco Networking Services agents can receive messages. An attempt to connect to a server not on the list will result in an error message being displayed.

Configure a Cisco Networking Services trusted server when a Cisco Networking Services agent will redirect its response to a server address that is not explicitly configured on the command line for the specific Cisco Networking Services agent. For example, the Cisco Networking Services EXEC agent may have one server configured but receive a message from the Cisco Networking Services event bus that overrides the configured server. The new server address has not been explicitly configured, so the new server address is not a trusted server. An error will be generated when the Cisco Networking Services exec agent tries to respond to this new server address unless the cns trusted-server command has been configured for the new server address.

How to Configure Cisco Networking Services Security Enhancement

Configuring Cisco Networking Services Trusted Servers

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    cns trusted-server {all-agents | config | event | exec | image} name

    4.    cns message format notification {version 1 | version 2}

    5.    cns aaa authentication authentication-method


DETAILED STEPS
      Command or Action Purpose
    Step 1 enable


    Example:
    Device> enable
    
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
    
     

    Enters global configuration mode.

     
    Step 3 cns trusted-server {all-agents | config | event | exec | image} name


    Example:
    Device(config)# cns trusted-server event 10.19.2.5
    
     

    Configures a Cisco Networking Services trusted server for the specified hostname or IP address.

     
    Step 4 cns message format notification {version 1 | version 2}


    Example:
    Device(config)# cns message format notification version 1
    
     

    Configures the message format for notification messages from a Cisco Networking Services device.

    Received messages which do not conform to the configured message format are rejected.

    Use version 1 to configure the non-SOAP message format. Use version 2 for SOAP message format.

     
    Step 5 cns aaa authentication authentication-method


    Example:
    Device(config)# cns aaa authentication method1
    
     

    Enables Cisco Networking Services AAA options.

    Note   

    The authentication methods must be configured within AAA.

     

    Configuration Examples for Cisco Networking Services Security Enhancement

    Example: Configuring Cisco Networking Services Trusted Servers

    enable configure terminal cns trusted-server event 10.19.2.5 cns message format notification version 2 cns aaa authentication method1
          

    Additional References

    Related Documents

    Related Topic

    Document Title

    Cisco IOS commands

    Cisco IOS Master Commands List, All Releases

    Cisco Networking Services commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

    Cisco IOS Cisco Networking Services Command Reference

    Cisco Networking Services Configuration Engine

    Cisco CNS Configuration Engine Administrator Guide, 1.3

    Technical Assistance

    Description

    Link

    The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

    Feature Information for Cisco Networking Services Security Enhancement

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

    Table 1 Feature Information for Cisco Networking Services Security Enhancement

    Feature Name

    Releases

    Feature Information

    Cisco Networking Services Security Enhancement

    Cisco IOS XE Release 3.8S

    12.4(9)T

    12.2(33)SRA

    The Cisco Networking Services Security Enhancement feature improves the security of Cisco Networking Services messages by authenticating sender credentials through the use of the SOAP message format.

    The following commands were introduced or modified: cns aaa authentication, cns message format notification.