cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
728
Views
19
Helpful
11
Replies

Pix/Radius and enable mode

jjoseph01
Level 3
Level 3

Hi all, I am trying to get a pix 6.3 to authenticate telnet users via radius with a Microsoft IAS server. This works well, but Im trying to get it where when they log in, it just dumps them into enable mode, instead of typing in the enable AD credential again. Anyone have any insight on how to do this? Its a IAS configuration thing I know, but not sure what to do with it. Thanks in advance.

11 Replies 11

Premdeep Banga
Level 7
Level 7

If you mean on firewall,

Username: alfa

Password: ********

pixfirewall#

Rather then,

Username: alfa

Password: ********

pixfirewall>

pixfirewall>enable

Password: ********

pixfirewall#

The unfortunately, Pix firewall does not have this concept, like IOS devices have.

On IOS you can get the user log directly into enable (Privileged exec) mode by passing attribute,

cisco av-pair as shell:priv-lvl=n or on some IOS only using Service Type as Administrative will do the trick.

Where, n is the privilege level.

AND, there has to be an EXEC authorization command on the IOS device, e.g.,

aaa authorization exec group radius....

Unfortunately, that is not the case for the Pix firewall, they have a different OS.

Regards,

Prem

Please rate if it helps!

Farrukh Haroon
VIP Alumni
VIP Alumni

Even tough the exec authorization feature in the Cisco PIX/ASA is not 'completely' implemented, it does not mean you cannot do things like command authorization on the PIX/ASA. So let us know what exactly do you want to achieve and maybe we could help.

Regards

Farrukh

Hey, thanks. When I telnet into the device, and successfully log in, Id like it to dump me directly into enable mode. routername# instead of routername>

Unfortunately, this kind of functionality is not included in the PIX/ASA OS as of now.

Regards,

Prem

Do you know if there is a plan to support this in any later versions? In my work enviroment shared passwords are not allowed. Thanks.

You might want to contact your accounts team for the same.

If sharing of password is not allowed, then you can enable, enable password authentication on firewall, i.e.

aaa authentication enable console LOCAL

And on the ACS server, under user's profile, make sure that enable password is selected as the user's account password against the respective database.

Regards,

Prem

Thanks works great thanks. One more question...

On my IOS equipment, I am able to make it check the LOCAL db first then radius rather than radius first. Is there a way to do it this way on the ASA?

Yes the AAA method list functionality is identical on both platforms. The IOS 'local-case' is the 'LOCAL' on ASA.

Regards

Farrukh

I think on your IOS this is how you are doing the authentication,

aaa authentication login default local group radius...

Local first and then Radius, right ?

If I understand you situation correctly, then that functionality/behavior is not how ASA/PIX firewall works.

If you specify LOCAL, then there is no other method available, i.e.,

aaa authentication telnet console LOCAL

But, you can specify the fallback as LOCAL in the event your Radius/Tacacs server is not available,

aaa authentication telnet console LOCAL

HTH

Regards,

Prem

Please rate if it helps!

I was afraid of that, but we can make it work. Thanks again.

I forgot to rate this, so came back to do so. Thanks for all your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: