ASA 8.0 and Microsoft ISA (local user backup)

vtra · ‎03-13-2008

What is the command so that when the username + password cannot be found in the microsoft isa server, the pix will look at the local database?

This command works in the router, but I cannot seem to find the equivlant for the pix.

aaa authentication login default local group tacacs+

Basically does the pix asa 8.0 support Multiple authorization commands?

Thank you very much for your help.

Herbert Baerten · ‎03-14-2008

On a router, "aaa authentication login default local group tacacs+ " will ALWAYS use the local user DB, never tacacs.

"aaa authentication login default group tacacs+ local" will first try tacacs and only if the tacacs server is not responding, use the local DB. Note that if the tacacs DOES respond but rejects the authentication attempt (user does not exist or wrong password), that the router will NOT use the local DB.

That said, on pix/asa you can do the same, e.g.:

aaa-server TPLUS protocol tacacs+

aaa-server TPLUS (management) host 10.0.0.1

aaa authentication telnet console TPLUS LOCAL

hth

H

vtra · ‎03-27-2008

Thank you very much, that helped a lot!