PIX ACS auth

Unanswered Question
May 20th, 2008

I have pix 535, i want to configure it for ACS authentication, but problem is that, users tries to login from inside interface and ACS located on outside interface of pix firewall.

I have configured the following commands but still not able to get the authentication,

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 172.28.x.x x.x.x

aaa-server TACACS+ (inside) host 172.28.x. xx

aaa authentication ssh console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+

aaa accounting command privilege 15 TACACS+

aaa accounting enable console TACACS+

same configuration is working fine for me with rest of the firewalls of my network bcz ACS and users are located on the same interface side, only this firewall is having problem.

Firewall is not having any thing like source interface like routers have.

Please help me out.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 05/20/2008 - 09:45

The router will use whatever interface is closest to ACS. What do your logs say when you try and authenticate?

wasiimcisco Tue, 05/20/2008 - 12:47

problem solved, actually i was using the wrong interface keyword right key word was outside interface instead of inside interface.

but now another problem arise,

and that is i m not able to console my firewall, i have applied the command authorization and it is working fine for me, but i m not able to console my device. I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.

aa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (edn) host 172.28.31.132

aaa-server TACACS+ (edn) host 172.28.31.133

aaa authentication ssh console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authentication serial console LOCAL

aaa authentication http console LOCAL

aaa authorization command TACACS+ LOCAL

aaa accounting command privilege 15 TACACS+

aaa accounting enable console TACACS+

but i m not able to login i m getting following eror

Command authorization failed

TDC-INT-525-01> exit

Command authorization failed

TDC-INT-525-01> exit

Command authorization failed

TDC-INT-525-01> enable

Command authorization failed

i also defined the local command authorization set like this

privilege cmd level 15 mode exec command exit

privilege show level 5 mode exec command running-config

privilege show level 15 mode exec command version

privilege show level 0 mode exec command access-list

privilege show level 0 mode configure command access-list

privilege cmd level 15 mode configure command exit

privilege cmd level 15 mode configure command no

privilege cmd level 0 mode configure command access-list

privilege cmd level 15 mode interface command exit

privilege cmd level 15 mode subinterface command exit

privilege cmd level 15 mode dynupd-method command exit

privilege cmd level 15 mode trange command exit

privilege cmd level 15 mode route-map command exit

privilege cmd level 15 mode router command exit

privilege cmd level 15 mode ldap command exit

privilege cmd level 15 mode aaa-server-host command exit

privilege cmd level 15 mode aaa-server-group command exit

privilege cmd level 15 mode context command exit

privilege cmd level 15 mode group-policy command exit

privilege cmd level 15 mode username command exit

privilege cmd level 15 mode tunnel-group-general command exit

privilege cmd level 15 mode tunnel-group-ipsec command exit

privilege cmd level 15 mode tunnel-group-ppp command exit

privilege cmd level 15 mode mpf-class-map command exit

privilege cmd level 15 mode mpf-policy-map command exit

privilege cmd level 15 mode mpf-policy-map-class command exit

privilege cmd level 15 mode mpf-policy-map-class command exit

privilege cmd level 15 mode mpf-policy-map-param command exit

Please tell me how to solve this problem

Actions

This Discussion