PIX - AAA authorization with TACACS+ Server

Unanswered Question
Mar 11th, 2008
User Badges:

I configured AAA authorization in the my firewall but it works only for local username/password. PIX version 7.2(2) and ACS-SE 4.1.


Following are the steps I did.


1. Configure AAA on PIX (attached)

2. Add PIX as AAA Client in ACS and selected as TACACS

3. Other setting in ACS as attached


Note: Also I have RADIUS as same ACS for my VPN access and I add it as RADIUS client with different key.Moreover I could not see any failed logs on ACS


Can anyone tell me why I cant authenticate and authorize with TACACS+ server. Please advise.


Thanks






  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
artegall1 Tue, 03/11/2008 - 07:58
User Badges:

Have you tried including commands to identify the type of traffic to be authenticated? Something along the lines of:

aaa authentication include telnet my-group

aaa authorization include telnet my-group


pemasirid Tue, 03/11/2008 - 11:15
User Badges:

Hi,


Thanks for the reply. I only tried with general AAA commands, not with source/destination address.


I just need to know what could be the mistake in my configurations and why it did not authenticate/authorize with my tacacs server.


Please advise

thanks


uaravind7 Tue, 03/11/2008 - 19:07
User Badges:

Hi,



1.aaa authentication telnet console my-group LOCAL

aaa authentication enable console my-group LOCAL


These commands on pix are for telnet and enable only, if you are accessing the device thro SSH or console, this wouldnt work.


2.Also confirm if both the AAA servers hav the keys specified in the PIX config.


aaa-server my-group host 172.20.20.11

key XXXXXXXX <------------------------------ key

aaa-server my-group host 172.20.20.12

key cisco123


3.Also there are lots of timeouts, may be the PIX cant reach the server.


"Number of timeouts 153"


4.Do a "debug aaa [ accounting | authentication | authorization ] and check the logs.



Reg,

U

pemasirid Tue, 03/11/2008 - 22:07
User Badges:

Hi U,


I configured telent and enable only. I'm trying to access thro telnet only. server keys are ok. only prob its seems that server is not responding and only authenticate with local username/password.


Any clue?


thanks

Actions

This Discussion