PIX Management Access via IAS

Unanswered Question
Nov 16th, 2009

Hello,

I have a PIX 515E running Cisco PIX Firewall Version 6.3(5)123. I am looking to have Management users connect to the PIX with their Active Directory credentials to manage the PIX. I have been successful in configuring this for all my switches, (2950s, 2960s 3350s etc.) but it does not work with the PIX.

Here is the AAA info I have:

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server RADIUS (inside) host 172.18.1.1 mykey timeout 5

aaa-server LOCAL protocol local

aaa authentication ssh console RADIUS LOCAL

aaa authentication telnet console RADIUS LOCAL

aaa authentication serial console RADIUS LOCAL

aaa authentication enable console RADIUS LOCAL

aaa authorization command LOCAL

Anyone have any clear documents or examples of a setup like this?

Thanks,

Craig

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Sat, 11/21/2009 - 06:16

Hi Craig,

The proposed config looks good.

============================================

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server RADIUS (inside) host 172.18.1.1 mykey timeout 5

aaa authentication ssh console RADIUS LOCAL

aaa authentication telnet console RADIUS LOCAL

aaa authentication serial console RADIUS LOCAL

aaa authentication enable console RADIUS LOCAL

=============================================

Just delete this command :

aaa-server LOCAL protocol local

#Question#: When you try to authenticate via AD credentials; what error meassge you see in the event viewer of IAS server?

Also, run the following debugs on the PIX

debug aaa authentication

debug radius

And check the authentication via test command:

---------------------------------------------------------------------

test aaa authentication RADIUS host  172.18.1.1

username:

password:

---------------------------------------------------------------------

after that attach the output of the debugs with your next post.

HTH

JK

EastlinkIT_2 Tue, 11/24/2009 - 04:58

Hi JK,

Thanks for the response.

Will deleting the below line affect me using local credentials to login, as that is all I can use to get on the box right now.

aaa-server LOCAL protocol local

Here are the error messages. Looks to be username and password however these are the same I use to access my switches through the same manner. There does not look to be any match for policy.

In IAS I have the policy at the top of the list and the conditions are the Client-Friendly-Name matches 172.18.0.2 AND Windows-Groups matches a group the user is in. Are there any particular attributes required for a PIX login such as I have for accessing my switches?

Event Type: Warning

Event Source: IAS

Event Category: None

Event ID: 2

Date: 11/24/2009

Time: 8:26:27 AM

User: N/A

Computer: ADDC1

Description:

User cmanage was denied access.

Fully-Qualified-User-Name = domain\cmanage

NAS-IP-Address = 172.18.0.2

NAS-Identifier =

Called-Station-Identifier =

Calling-Station-Identifier = 172.18.7.7

Client-Friendly-Name = 172.18.0.2

Client-IP-Address = 172.18.0.2

NAS-Port-Type =

NAS-Port = 4183

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name =

Authentication-Type = PAP

EAP-Type =

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

57: ssh authentication for user cmanage, session id: 1503537791

58: Received response: cmanage, session id 1503537791

59: Making authentication request for host 172.18.1.1, user cmanage, session id: 1503537791

60: Processing challenge for user cmanage, session id: 1503537791, challenge: Password:

61: Sending challenge for user: cmanage, pass: ****, session id: 1503537791

62: Received response: , session id 1503537791

63: Making authentication request for host 172.18.1.1, user cmanage, session id: 1503537791

64: Received response: , session id 1503537791

65: Making authentication request for host 172.18.1.1, user cmanage, session id: 1503537791

66: Received response: , session id 1503537791

67: Making authentication request for host 172.18.101.1, user cmanage, session id: 1503537791

68: Received response: , session id 1503537791

69: Making authentication request for host 0.0.0.0, user cmanage, session id: 1503537791

There does not look to be a "test" command for this version of PIX

Farrukh Haroon Wed, 11/25/2009 - 04:46

Have you added the PIX as a AAA client on the NAS?

As per your output, IAS is unable to map the policy to the PIX. Try making another policy for testing without the client friendly name restriction (even tough I can see that the PIX is passing it).

Regards

Farrukh

EastlinkIT_2 Tue, 12/08/2009 - 12:07

Yes it is added as a AAA client. Without the freindly name makes no difference.

Farrukh Haroon Tue, 12/15/2009 - 09:41

When you are authenticating on the PIX, is it rejecting the username/password (login authentication) or login authentication is working fine and it is failing at the 'enable authentication' step? Because for enable authentication to work you need to setup a user called $enable15$ in RADIUS, have you done that? If this is the case, you may temporarily use the LOCAL database for authentication to test.

Also can you provide more detailed debugs from the PIX, it seems you only ran radius debugs, please run all of the following

Is this PIX Version 7.x or 6.x?

debug aaa authentication

debug aaa authorization

debug radius all

Regards

Farrukh

Actions

This Discussion