Fallback not working on my PIX

jong_r0602 · ‎05-26-2008

Hi Guru's,

I tried to reconfigure my PIX authorization. Im not authorized to issue any command on my PIX, I've already permitted all command in my ACS PIX Command authorization Set but theres no luck. I used my LOCAL account it still not working. See the messege below.

PIXA# show run

Fallback authorization. Username 'enable_15' not in LOCAL database

Command authorization failed

Appreciate your help,

Jong

Jagdeep Gambhir · ‎05-27-2008

Jong,

You need to create a user as "enable_15" in local and tacacs database with privilege 15 and with permission to issue all commands.

Once you have it, fallback should work.

Regards,

~JG

Do rate helpful posts

jong_r0602 · ‎05-27-2008

Hi JG,

My fallback problem has been resolved. But i have another problem, whenever i enter the command "aaa authentication enable console" my PIX Command Authorization Set is not working, all command is permitted in other words. But when i removed it, and try to login again, im always getting "command authorizaton failed". I dont know what is causing that. Im using ACS v3.3 and PIX v722. Please help me on what should be the right command and config on my ACS and PIX. Here my current config.

PIX:

aaa authentication telnet console TAC+ LOCAL

aaa authentication enable console TAC+ LOCAL

aaa authorization TAC+ LOCAL

ACS:

User> priv15

Pix Command Authorization Set button selected.

Thanks,

Jong

jong_r0602 · ‎06-03-2008

I solved it already.

Thanks alot

taungpawtar75 · ‎06-04-2008

Hi This is Tai and I have a problem with ASA5520. I forgot to add route on management interface whcih use for AAA authentication. The problem is I can't even use local account to login. I can login to system but not the context that I applied AAA. Please help

taungpawtar75 · ‎06-04-2008

Hi Sir

I really screw up my ASA now. We have two contexts on ASA, Con1 and Con2. I can get into Con2 since I didn't set up AAA on that. But I can't login Con2 I setup AAA on that and using mangement inerface for AAA. But both AAA and local acont is not working and I can not assign user name enable_15 on Con2. It doesn't accept admin local accont on that. Please help!!!!

aneelaka · ‎06-04-2008

if you have not saved the config try the reboot, AAA config will be deleted.

If you have saved the config, then check AAA logs.

If the logs dont help you, make the AAA server unreachable from ASA and it will take in local credential

jong_r0602 · ‎06-04-2008

In addition to that, please check your "failed attempt" logs in your ACS. It will gives you the reason why the login login fails. Check the reason code, nas and the username on your ACS failed attemp logs.

Hope it will help.

Rgds,

Jong

taungpawtar75 · ‎06-04-2008

Thanks jong. But the main problem for me is I forgot to add route to management interface that enable AAA. I found out that Cisco have bug CSCsj56051 Bug and will try to upload new bin file and see if it is working for local. BTW, if I can edit the current admin context file and add route, will it be work? Thanks

taungpawtar75 · ‎06-05-2008

Hi Sir

I have another question. Let's say I have the context name Test.cfg currently using as admin conext. I just upload a new config file Test1.cfg to ASA. If I rename my Test1.cfg to Test.cfg, and rename Test.cfg to Test1.cfg, after I reboot the ASA, will it take the new config file Test.cfg? Thanks

Another one is do ASA must have the same IOS?