08-22-2008 01:21 PM - edited 02-21-2020 02:58 AM
Hi all, I am trying to get a pix 6.3 to authenticate telnet users via radius with a Microsoft IAS server. This works well, but Im trying to get it where when they log in, it just dumps them into enable mode, instead of typing in the enable AD credential again. Anyone have any insight on how to do this? Its a IAS configuration thing I know, but not sure what to do with it. Thanks in advance.
08-22-2008 01:34 PM
If you mean on firewall,
Username: alfa
Password: ********
pixfirewall#
Rather then,
Username: alfa
Password: ********
pixfirewall>
pixfirewall>enable
Password: ********
pixfirewall#
The unfortunately, Pix firewall does not have this concept, like IOS devices have.
On IOS you can get the user log directly into enable (Privileged exec) mode by passing attribute,
cisco av-pair as shell:priv-lvl=n or on some IOS only using Service Type as Administrative will do the trick.
Where, n is the privilege level.
AND, there has to be an EXEC authorization command on the IOS device, e.g.,
aaa authorization exec
Unfortunately, that is not the case for the Pix firewall, they have a different OS.
Regards,
Prem
Please rate if it helps!
08-24-2008 11:11 AM
Even tough the exec authorization feature in the Cisco PIX/ASA is not 'completely' implemented, it does not mean you cannot do things like command authorization on the PIX/ASA. So let us know what exactly do you want to achieve and maybe we could help.
Regards
Farrukh
08-24-2008 02:42 PM
Hey, thanks. When I telnet into the device, and successfully log in, Id like it to dump me directly into enable mode. routername# instead of routername>
08-25-2008 03:41 AM
Unfortunately, this kind of functionality is not included in the PIX/ASA OS as of now.
Regards,
Prem
08-25-2008 07:25 AM
Do you know if there is a plan to support this in any later versions? In my work enviroment shared passwords are not allowed. Thanks.
08-25-2008 07:31 AM
You might want to contact your accounts team for the same.
If sharing of password is not allowed, then you can enable, enable password authentication on firewall, i.e.
aaa authentication enable console
And on the ACS server, under user's profile, make sure that enable password is selected as the user's account password against the respective database.
Regards,
Prem
08-26-2008 05:17 AM
Thanks works great thanks. One more question...
On my IOS equipment, I am able to make it check the LOCAL db first then radius rather than radius first. Is there a way to do it this way on the ASA?
08-26-2008 05:21 AM
Yes the AAA method list functionality is identical on both platforms. The IOS 'local-case' is the 'LOCAL' on ASA.
Regards
Farrukh
08-26-2008 05:29 AM
I think on your IOS this is how you are doing the authentication,
aaa authentication login default local group radius...
Local first and then Radius, right ?
If I understand you situation correctly, then that functionality/behavior is not how ASA/PIX firewall works.
If you specify LOCAL, then there is no other method available, i.e.,
aaa authentication telnet console LOCAL
But, you can specify the fallback as LOCAL in the event your Radius/Tacacs server is not available,
aaa authentication telnet console
HTH
Regards,
Prem
Please rate if it helps!
08-26-2008 06:44 AM
I was afraid of that, but we can make it work. Thanks again.
08-28-2008 07:33 AM
I forgot to rate this, so came back to do so. Thanks for all your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: