cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
819
Views
0
Helpful
4
Replies

PIX - AAA authorization with TACACS+ Server

pemasirid
Level 1
Level 1

I configured AAA authorization in the my firewall but it works only for local username/password. PIX version 7.2(2) and ACS-SE 4.1.

Following are the steps I did.

1. Configure AAA on PIX (attached)

2. Add PIX as AAA Client in ACS and selected as TACACS

3. Other setting in ACS as attached

Note: Also I have RADIUS as same ACS for my VPN access and I add it as RADIUS client with different key.Moreover I could not see any failed logs on ACS

Can anyone tell me why I cant authenticate and authorize with TACACS+ server. Please advise.

Thanks

4 Replies 4

artegall1
Level 1
Level 1

Have you tried including commands to identify the type of traffic to be authenticated? Something along the lines of:

aaa authentication include telnet my-group

aaa authorization include telnet my-group

Hi,

Thanks for the reply. I only tried with general AAA commands, not with source/destination address.

I just need to know what could be the mistake in my configurations and why it did not authenticate/authorize with my tacacs server.

Please advise

thanks

Hi,

1.aaa authentication telnet console my-group LOCAL

aaa authentication enable console my-group LOCAL

These commands on pix are for telnet and enable only, if you are accessing the device thro SSH or console, this wouldnt work.

2.Also confirm if both the AAA servers hav the keys specified in the PIX config.

aaa-server my-group host 172.20.20.11

key XXXXXXXX <------------------------------ key

aaa-server my-group host 172.20.20.12

key cisco123

3.Also there are lots of timeouts, may be the PIX cant reach the server.

"Number of timeouts 153"

4.Do a "debug aaa [ accounting | authentication | authorization ] and check the logs.

Reg,

U

Hi U,

I configured telent and enable only. I'm trying to access thro telnet only. server keys are ok. only prob its seems that server is not responding and only authenticate with local username/password.

Any clue?

thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: