Cisco Prime Infrastructure 2.2 Administrator Guide

Disabling Insecure Services

You should disable non-secure services if you are not using them. For example: TFTP and FTP are not secure protocols. These services are typically used to transfer firmware or software images to and from network devices and Prime Infrastructure. They are also used for transferring system backups to external storage. We recommend that you use secure protocols (such as SFTP or SCP) for such services.

To disable FTP and TFTP services:

Step 1 Log in to Prime Infrastructure with a user ID with administrator privileges.

Step 2 Select Administration > System Settings > Server Settings.

Step 3 Select the Disable buttons for FTP and TFTP.

Disabling Root Access

Administrative users can enable root shell access to the underlying operating system for trouble shooting purposes. This access is intended for Cisco Support teams to debug product-related operational issues. We recommend that you keep this access disabled, and enable it only when required. To disable root access, run the command root_disable from the command line (see Connecting Via CLI).

During installation, Prime Infrastructurealso creates a web root user account, prompting the installer for the password to be used for this account. The web root account is needed to enable first-time login to the Prime Infrastructure server and its web user interface. We recommend that you never use this account for normal operations. Instead, use it to create user IDs with appropriate privileges for day-to-day operations and network management, and administrative user IDs for managing Prime Infrastructure itself. Once these user accounts are created, disable the default “web root” account created at install time, and create user accounts using your administrative user IDs thereafter.

To disable the root accounts:

Step 1 Open a CLI session with the Prime Infrastructure server (see Connecting Via CLI). Do not enter “configure terminal” mode.

Step 2 Disable the web root account by entering the following command:

PIServer/admin# ncs webroot disable

Prime Infrastructure disables the web root account.

Step 3 Disable the root shell account by entering the following command at the prompt:

PIServer/admin# root_disable

Prime Infrastructure will prompt you for the root shell account password. Enter it to complete disabling of the root shell account.

Using SNMPv3 Instead of SNMPv2

SNMPv3 is a higher-security protocol than SNMPv2. You can enhance the security of communications between your network devices and the Prime Infrastructure server by configuring the managed devices so that management takes place using SNMPv3 instead of SNMPv2.

To specify SNMPv3 when adding a new device:

Step 1 Select Inventory > Device Management > Network Devices, then click Add Device.

Step 2 In the SNMP Parameters area, in Version, select v3.

Step 3 Complete the other fields as appropriate, then click Add.

To specify use of SNMPv3 when importing devices in bulk:

Step 1 Select Inventory > Device Management > Network Devices.

Step 2 Choose Bulk Import and download the sample CSV file from the page displayed.

Step 3 Edit the sample file using any CSV-compatible application. For each row representing a device in the CSV import file:

a. In the snmp version column, enter 3.

b. Enter appropriate values in the snmpv3_user_name, snmpv3_auth_type, snmpv3_auth_password, snmpv3_privacy_type, and snmpv3_privacy_password columns.

c. Complete other columns as appropriate for your devices.

Step 4 Select Inventory > Device Management > Network Devices, then click Bulk Import and import your modified CSV file.

To specify SNMPv3 as part of device discovery:

Step 1 Select Inventory > Device Management > Discovery, then click Discovery Settings.

Step 2 In the SNMP Credentials area, click the + sign and add SNMP v3 credentials.

Step 3 Save the modified discovery settings and use them thereafter.

Authenticating With External AAA

User accounts and password are managed more securely when they are managed centrally, by a dedicated, remote authentication server running a secure authentication protocol such as RADIUS or TACACS+.

You can configure Prime Infrastructure to authenticate users using external AAA servers. You will need to access the Administration > Users, Roles & AAA page to set up external authentication via the Prime Infrastructure graphic user interface (GUI). You can also set up external authentication via the command line interface (CLI).

To set up remote user authentication via the GUI:

Step 1 Log in to Prime Infrastructure with a user ID that has administrator privileges.

Step 2 Select Administration > Users, Roles & AAA > TACACS+ or Administration > Users, Roles & AAA > RADIUS.

Step 3 Enter the TACACS+ or RADIUS server IP address and shared secret in the appropriate fields.

Step 4 Select Administration > Users, Roles & AAA > AAA Mode Settings.

Step 5 Set the AAA mode as appropriate.

To set up remote user authentication via the CLI:

Step 1 Log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI. Be sure to enter “configure terminal” mode.

Step 2 At the prompt, enter the following command to setup an external TACACS+ server:

PIServer/admin/terminal# aaa authentication tacacs+ server tacacs -ip key plain shared-secret

Where:

• tacacs -ip is the IP address of an active TACACS+ server.
• shared-secret is the plain-text shared secret for the active TACACS+ server.

Step 3 At the prompt, enter the following command to create a user with administrative authority, who will be authenticated by the above AAA server:

PIServer/admin/terminal# username username password remote role admin email emailID

Where:

• username is the name of the user ID.
• password is the plain-text password for the user.
• emailID is the email address of the user (optional).

Enabling NTP Update Authentication

Network Time Protocol (NTP) version 4, which authenticates server date and time updates, is an important way to harden server security. Note that you can configure a maximum of three NTP servers with Prime Infrastructure.

To set up authenticated NTP updates:

Step 1 Log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI.Be sure to enter “configure terminal” mode.

Step 2 At the prompt, enter the following command to setup an external NTPv4 server:

PIServer/admin/terminal# ntp server serverIP userID plain password

Where:

• serverIP is the IP address of the authenticating NTPv4 server you want to use.
• userID is the md5 key id of the NTPv4 server.
• password is the corresponding plain-text md5 password for the NTPv4 server.

For example: ntp server 10.81.254.131 20 plain MyPassword

Step 3 To ensure that NTP authentication is working correctly, test it by executing the following commands:

• To check the NTP update details: sh run
• To check NTP sync details: sh ntp

Enabling Certificate-Based Authentication for Web Clients

You can further enhance the security of Prime Infrastructure’s interaction with its web clients by setting up certificate-based client authentication.

With this form of authentication, Prime Infrastructure validates the client’s associated certificate (to ensure that the issuing authority has not revoked it) before permitting the user to access the login page. Prime Infrastructure implements this feature using the Online Certificate Status Protocol (OCSP). OCSP performs a real time certificate status check making it more reliable and faster.

Step 1 Log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI. Do not enter “configure terminal” mode.

Step 2 At the prompt, enter the following command to enable client certificate authentication:

PIServer/admin# ncs run client-auth enable

Step 3 At the command line, enter the following command:

PIServer/admin# ncs key importcacert aliasname CACertFile repository reponame

Where:

• aliasname is the short name supplied for this CA certificate (for example, aolrootca1).
• CACertFile is the name of the CA certificate file.
• reponame is the location of the Prime Infrastructure repository where the certificate file is hosted.

Step 4 After entering this command, enter the ncs stop and ncs start commands to restart the Prime Infrastructure server and apply the changes, as follows:

ncs stop

ncs start

Enabling OCSP Settings on the Prime Infrastructure Server

Online Certificate Status Protocol (OCSP) enables certificate-based authentication for web clients using OCSP responders. Typically, the OCSP responder’s URL is read from the certificate’s Authority Information Access (AIA). As a failover mechanism, you can configure the same URL on the Prime Infrastructure server as well.

To set up a custom URL of an OCSP responder, follow the steps below.

Step 1 Log in to the Prime Infrastructure server using the command line, as explained in Connecting Via CLI. Do not enter “configure terminal” mode.

Step 2 At the prompt, enter the following command to enable client certificate authentication:

PIServer/admin# ocsp responder custom enable

Step 3 At the prompt, enter the following command to set the custom OCSP responder URL:

PIServer/admin# ocsp responder set url Responder#URL

Where:

• Responder# is the number of the OCSP responder you want to define (e.g., 1 or 2).
• URL is the URL of the OCSP responder, as taken from the client CA certificate.

Note that there should be no space between the Responder# and URL values .

Step 4 To delete an existing custom OCSP responder defined on the Prime Infrastructure server, use the following command:

PIServer/admin# ocsp responder clear url Responder#

If you do not already know the number of the OCSP responder you want to delete, use the show security-status command to view the OCSP responders currently configured on the server. For details, see Checking On Server Security Status .

Setting Up Local Password Policies

If you are authenticating users locally, using Prime Infrastructure’s own internal authentication, you can enhance your system’s security by enforcing rules for strong password selection.

Note that these policies affect only the passwords for local Prime Infrastructure user IDs. If you are authenticating Prime Infrastructure users via a centralized or remote AAA server, you can enforce similar protections using the functions of the AAA server.

To enforce local password policies:

Step 1 Log in to Prime Infrastructure with a user ID that has administrator privileges.

Step 2 Select Administration > Users, Roles & AAA > Local Password Policy.

Step 3 Select the check boxes next to the password policies you want to enforce, including:

• The minimum number of characters passwords must contain.
• No use of the username or “cisco” as a password (or common permutations of these).
• No use of “public” in root passwords.
• No more than three consecutive repetitions of any password character.
• Passwords must contain at least one character from three of the following character classes: upper case, lower case, digit, and special character.
• Whether the password must contain only ASCII characters.
• Minimum elapsed number of days before a password can be reused.
• Password expiration period.
• Advance warnings for password expirations.

If you enable any of the following password policies, you can also specify:

• The minimum password length, in number of characters.
• The minimum elapsed time between password re-uses.
• The password expiry period.
• The number of days in advance to start warning users about future password expiration.

Step 4 Click Save.

Disabling Individual TCP/UDP Ports

The following table lists the TCP and UDP ports Prime Infrastructure uses, the names of the services communicating over these ports, and the product’s purpose in using them. The “Safe” column indicates whether you can disable a port and service without affecting Prime Infrastructure functionality.

Checking On Server Security Status

Prime Infrastructure administrators can connect to the server via CLI and use the show security-status command to display the server’s currently open TCP/UDP ports, the status of other services the system is using, and other security-related configuration information. For example:

Step 1 Log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI. Do not enter “configure terminal” mode.

Step 2 Enter the following command at the prompt:

PIServer/admin# show security-status

Depending on your settings, you will see output like the following:

Open TCP Ports : 22 443 1522 8082

Open UDP Ports : 162 514 9991

FIPS Mode : enabled

TFTP Service : disabled

FTP Service : disabled

JMS port (61617) : disabled

Root Access : disabled

Client Auth : enabled

OCSP Responder1 : http://10.77.167.65/ocsp

OCSP Responder2 : http://10.104.178.99/ocsp

FIPS 140-2 Cryptographic Security Details

Starting with release 2.2, Prime Infrastructure integrates the following FIPS 140-2 approved cryptographic modules:

1. CiscoSSL FIPS Object Module (FOM) – Cert. #2100

2. Cisco Common Cryptographic Module (C3M) – Cert. #1643

In the Prime Infrastructure implementation:

1. Each of the integrated cryptographic modules mentioned above are initialized in a manner that is compliant with their individual security policies.

2. All cryptographic algorithms used for SSL 3.1, TLS 1.0, and IPSEC used for session establishment, are offloaded to CiscoSSL FIPS Object Module (FOM) – Cert. #2100.

3. All cryptographic algorithms used for SSHv2 secure connection uses the Cisco Common Cryptographic Module (C3M) – Cert. #1643.

Prime Infrastructure FIPS Mode Details

When you install Prime Infrastructure 2.2 or later, the installation script will prompt you to decide if you want to install the product in FIPS mode. When in FIPS mode, the following Prime Infrastructure server configuration changes are in effect:

• Access to the “root” shell account is disabled. The commands root , root_enable , and root_disable are not available when you connect to the server using CLI. If you need to regain access to this account, contact Cisco TAC.
• Insecure protocols —such as FTP, JMS and TFTP — are disabled by default. If necessary, users with administrative privileges can re-enable these protocols using the Prime Infrastructure Administration > System Settings > Server Settings page.
• Plug and Play (PnP) services (including the PnP Gateway Server) that make use of insecure protocols are disabled. To restore access to PnP services, you must re-install the product.
• Only FIPS-compliant cipher suites are enabled for all incoming or outgoing SSH and SSL connections with Prime Infrastructure servers. The product uses the strongSwan IPSec implementation, and supports the IKEv1 cipher suites listed on the strongSwan web site (with the exception of SHA256, which is not supported due to the fact that the Prime Infrastructure Linux kernel is earlier than version 2.6.33).
• In High Availability configurations, the primary and secondary servers will be configured to communicate over an IPSec tunnel.

Using IPSec Tunneling to Wireless Devices With FIPS Mode

If you have installed the product in FIPS mode, we recommend that you use IPSec tunneling to secure wireless management traffic between your network devices and Prime Infrastructure servers. Using IPSec between the management system and the managed devices provides an additional layer of security.

Prime Infrastructure can communicate with any type of device via IPSec, when properly configured. Prime Infrastructure IPSec communications have been tested with Cisco Wireless LAN Controllers and Cisco Next Generation Wiring Closet (NGWC) devices. The Cisco TAC support note, IKEv1/IKEv2 Between Cisco IOS and strongSwan Configuration Example, provides examples on how to configure devices properly for IPSec communication.

Please note that only certificate-based authentication is supported for IPSec in Prime Infrastructure. To set this up properly, see the topic .

Prime Infrastructure supports SNMP traps via IPSec. IPSec is supported only with device having amur image(03.06.00).

Using IPSec Certificate-Based Authentication With FIPS Mode

For enhanced security, Prime Infrastructure supports IPSec certificate-based authentication only. This authentication takes place during the IKE/ISAKMP tunnel-establishment negotiation between Prime Infrastructure and the devices it manages. The certificates installed on each device and on Prime Infrastructure should be signed by a common Certificate Authority (CA).

To set up certificate-based authentication between Prime Infrastructure and the devices it manages, you must perform the following tasks:

1. Generate a Certificate Signing Request (CSR) and send it to a Certificate Authority (CA) for verification.

2. Import the returned CA certificate to the Prime Infrastructure server (both primary and secondary, if using High Availability features).

3. Import the same CA certificate to the devices Prime Infrastructure will manage.

Instructions on how to perform each of these actions are given in the Related Topics.

Related Topics

• Generating the Certificate
• Importing the Certificate to Prime Infrastructure
• Importing the Certificate to Managed Devices

Generating the Certificate

To generate a CSR, get it signed by a Certificate Authority (CA), and ready it for import:

Step 1 Log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI. Do not enter “configure terminal” mode.

Step 2 At the prompt, enter the following command to generate the CSR:

ncs key genkey -newdn -csr test.csr repository defaultRepo

This will generate the CSR file “test.csr” in the Prime Infrastructure server’s default repository.

Step 3 Copy test.csr to a file storage resource to which you have all access rights. For example:

copy disk:/defaultRepo/test.csr ftp\://your.ftp.server.

Step 4 Submit the test.csr file to the third-party Certificate Authority for verification and signing. Depending on the CA, you may need to email the file, or paste its contents into a web form.

Step 5 You will receive the server and CA certificates from the CA. For example:

• CN .cer - The server certificate. CN is replaced with the common name of the CA (e.g., “MyCompany CA”).
• CA .cer - The CA certificate from the signing authority. You may receive more than one of these files, with various names.

Step 6 Copy all the certificate files from your file resource back to the default repository. For example:

copy ftp\://your.ftp.server/CN.cer disk:defaultRepo

copy ftp\://your.ftp.server/CA.cer disk:defaultRepo

You are now ready to import the certificates into the Prime Infrastructure server, as explained in Importing the Certificate to Prime Infrastructure

Importing the Certificate to Prime Infrastructure

Once you have received and prepared the signed CA certificate (as explained in Generating the Certificate ), you must import it to the Prime Infrastructure server. If you are using Prime Infrastructure’s High Availability (HA) features, you will need to import it into both the primary and secondary servers.

Step 1 If you have not already done so, log in to Prime Infrastructure using the command line, as explained in Connecting Via CLI. Do not enter “configure terminal” mode.

Step 2 At the prompt, enter the following command to import the CA certificate file:

ncs key importcacert CA-Alias CA.cer repository defaultRepo

If you have more than one CA certificate file: Repeat this step for each CA cert file.

Step 3 Finally, import the CN .cer file into the server:

ncs key importsignedcert CN.cer repository defaultRepo

Step 4 Restart the Prime Infrastructure server to apply the changes:

ncs stop

ncs start

Importing the Certificate to Managed Devices

Installing certificates on managed devices varies with the type of device.

The following document provides instructions and examples on how to import certificates to Cisco Wireless LAN Controllers (WLCs) and Next Generation Wiring Closet (NGWC) devices: Cisco Wireless LAN Controllers and Converged Access Wireless LAN Controllers Third-Party Certificate Installation .

Remember that the certificates installed on each device and on Prime Infrastructure should be signed by a common Certificate Authority (CA).

Using High Availability With FIPS Mode

For details on running Prime Infrastructure in FIPS mode with high availability functionality, see Setting Up HA in FIPS Mode.

Using Operations Center With FIPS Mode

Use of Operations Center is not supported with any Prime Infrastructure server installed in FIPS mode.

Using Backup and Restore With FIPS Mode

Backup and restore of a Prime Infrastructure server installed in FIPS mode works the same way as with servers not installed in FIPS mode. Note, however, that you cannot restore data backed up from a server not installed in FIPS mode to a server installed in FIPS mode. Similarly, data backed up from a server installed in FIPS mode cannot be restored to a server not installed in FIPS mode.