05-20-2008 05:35 AM - edited 03-10-2019 03:51 PM
I have pix 535, i want to configure it for ACS authentication, but problem is that, users tries to login from inside interface and ACS located on outside interface of pix firewall.
I have configured the following commands but still not able to get the authentication,
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 172.28.x.x x.x.x
aaa-server TACACS+ (inside) host 172.28.x. xx
aaa authentication ssh console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
same configuration is working fine for me with rest of the firewalls of my network bcz ACS and users are located on the same interface side, only this firewall is having problem.
Firewall is not having any thing like source interface like routers have.
Please help me out.
05-20-2008 09:45 AM
The router will use whatever interface is closest to ACS. What do your logs say when you try and authenticate?
05-20-2008 12:47 PM
problem solved, actually i was using the wrong interface keyword right key word was outside interface instead of inside interface.
but now another problem arise,
and that is i m not able to console my firewall, i have applied the command authorization and it is working fine for me, but i m not able to console my device. I wanted to use this option in case, ACS goes down and i can console my firewall and but it is not working fine me.
aa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (edn) host 172.28.31.132
aaa-server TACACS+ (edn) host 172.28.31.133
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console LOCAL
aaa authentication http console LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
but i m not able to login i m getting following eror
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> exit
Command authorization failed
TDC-INT-525-01> enable
Command authorization failed
i also defined the local command authorization set like this
privilege cmd level 15 mode exec command exit
privilege show level 5 mode exec command running-config
privilege show level 15 mode exec command version
privilege show level 0 mode exec command access-list
privilege show level 0 mode configure command access-list
privilege cmd level 15 mode configure command exit
privilege cmd level 15 mode configure command no
privilege cmd level 0 mode configure command access-list
privilege cmd level 15 mode interface command exit
privilege cmd level 15 mode subinterface command exit
privilege cmd level 15 mode dynupd-method command exit
privilege cmd level 15 mode trange command exit
privilege cmd level 15 mode route-map command exit
privilege cmd level 15 mode router command exit
privilege cmd level 15 mode ldap command exit
privilege cmd level 15 mode aaa-server-host command exit
privilege cmd level 15 mode aaa-server-group command exit
privilege cmd level 15 mode context command exit
privilege cmd level 15 mode group-policy command exit
privilege cmd level 15 mode username command exit
privilege cmd level 15 mode tunnel-group-general command exit
privilege cmd level 15 mode tunnel-group-ipsec command exit
privilege cmd level 15 mode tunnel-group-ppp command exit
privilege cmd level 15 mode mpf-class-map command exit
privilege cmd level 15 mode mpf-policy-map command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-class command exit
privilege cmd level 15 mode mpf-policy-map-param command exit
Please tell me how to solve this problem
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: