Unable to Authenticate enable password in PIX from TACACS server

s.mazumdar · ‎07-31-2007

Hi,

We have PIX 535 with Version 6.3(4). We have TACACS server running on LINUX.

The configuration that we have done for authenticating through PIX is as below:

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host 172.17.96.198 cisco timeout 5

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

aaa authentication telnet console TACACS+ LOCAL

aaa authentication enable console TACACS+

When we are doing telnet to the pix first username and passwords are taken from TACACS server. But enable password is not taking.

And after removing aaa authentication enable console TACACS+ we can login using the enable password configured locally in the pix.

But we want total control through TACACS.

Is their any way around?

Thanks in advance.

rochopra · ‎07-31-2007

Hi,

On tacacs server, go to user properties and configure TACACS enable authentication options to pick user pap password. This configuration is missing from TACACS server.

~Rohit

s.mazumdar · ‎07-31-2007

Hi,

Thanks for your response.

As I have said earlier we have TACACS running on LINUX. Also we don't have any GUI running.

let me know what can be done on this situation.