PIX Management Access via IAS

Unanswered Question
Nov 16th, 2009
User Badges:

Hello,


I have a PIX 515E running Cisco PIX Firewall Version 6.3(5)123. I am looking to have Management users connect to the PIX with their Active Directory credentials to manage the PIX. I have been successful in configuring this for all my switches, (2950s, 2960s 3350s etc.) but it does not work with the PIX.


Here is the AAA info I have:


aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server RADIUS (inside) host 172.18.1.1 mykey timeout 5

aaa-server LOCAL protocol local

aaa authentication ssh console RADIUS LOCAL

aaa authentication telnet console RADIUS LOCAL

aaa authentication serial console RADIUS LOCAL

aaa authentication enable console RADIUS LOCAL

aaa authorization command LOCAL


Anyone have any clear documents or examples of a setup like this?


Thanks,


Craig

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Sat, 11/21/2009 - 06:16
User Badges:
  • Cisco Employee,

Hi Craig,


The proposed config looks good.


============================================

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server RADIUS (inside) host 172.18.1.1 mykey timeout 5



aaa authentication ssh console RADIUS LOCAL

aaa authentication telnet console RADIUS LOCAL

aaa authentication serial console RADIUS LOCAL

aaa authentication enable console RADIUS LOCAL

=============================================


Just delete this command :


aaa-server LOCAL protocol local


#Question#: When you try to authenticate via AD credentials; what error meassge you see in the event viewer of IAS server?


Also, run the following debugs on the PIX


debug aaa authentication

debug radius


And check the authentication via test command:


---------------------------------------------------------------------

test aaa authentication RADIUS host  172.18.1.1

username:

password:

---------------------------------------------------------------------


after that attach the output of the debugs with your next post.


HTH


JK

EastlinkIT_2 Tue, 11/24/2009 - 04:58
User Badges:

Hi JK,


Thanks for the response.


Will deleting the below line affect me using local credentials to login, as that is all I can use to get on the box right now.


aaa-server LOCAL protocol local




Here are the error messages. Looks to be username and password however these are the same I use to access my switches through the same manner. There does not look to be any match for policy.


In IAS I have the policy at the top of the list and the conditions are the Client-Friendly-Name matches 172.18.0.2 AND Windows-Groups matches a group the user is in. Are there any particular attributes required for a PIX login such as I have for accessing my switches?


Event Type: Warning

Event Source: IAS

Event Category: None

Event ID: 2

Date: 11/24/2009

Time: 8:26:27 AM

User: N/A

Computer: ADDC1

Description:

User cmanage was denied access.

Fully-Qualified-User-Name = domain\cmanage

NAS-IP-Address = 172.18.0.2

NAS-Identifier =

Called-Station-Identifier =

Calling-Station-Identifier = 172.18.7.7

Client-Friendly-Name = 172.18.0.2

Client-IP-Address = 172.18.0.2

NAS-Port-Type =

NAS-Port = 4183

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name =

Authentication-Type = PAP

EAP-Type =

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.




57: ssh authentication for user cmanage, session id: 1503537791

58: Received response: cmanage, session id 1503537791

59: Making authentication request for host 172.18.1.1, user cmanage, session id: 1503537791

60: Processing challenge for user cmanage, session id: 1503537791, challenge: Password:

61: Sending challenge for user: cmanage, pass: ****, session id: 1503537791

62: Received response: , session id 1503537791

63: Making authentication request for host 172.18.1.1, user cmanage, session id: 1503537791

64: Received response: , session id 1503537791

65: Making authentication request for host 172.18.1.1, user cmanage, session id: 1503537791

66: Received response: , session id 1503537791

67: Making authentication request for host 172.18.101.1, user cmanage, session id: 1503537791

68: Received response: , session id 1503537791

69: Making authentication request for host 0.0.0.0, user cmanage, session id: 1503537791




There does not look to be a "test" command for this version of PIX





Farrukh Haroon Wed, 11/25/2009 - 04:46
User Badges:
  • Red, 2250 points or more

Have you added the PIX as a AAA client on the NAS?


As per your output, IAS is unable to map the policy to the PIX. Try making another policy for testing without the client friendly name restriction (even tough I can see that the PIX is passing it).


Regards


Farrukh

EastlinkIT_2 Tue, 12/08/2009 - 12:07
User Badges:

Yes it is added as a AAA client. Without the freindly name makes no difference.

Farrukh Haroon Mon, 12/14/2009 - 22:28
User Badges:
  • Red, 2250 points or more

Sorry I was on a short vacation, were you able to solve this issue?

Farrukh Haroon Tue, 12/15/2009 - 09:41
User Badges:
  • Red, 2250 points or more

When you are authenticating on the PIX, is it rejecting the username/password (login authentication) or login authentication is working fine and it is failing at the 'enable authentication' step? Because for enable authentication to work you need to setup a user called $enable15$ in RADIUS, have you done that? If this is the case, you may temporarily use the LOCAL database for authentication to test.


Also can you provide more detailed debugs from the PIX, it seems you only ran radius debugs, please run all of the following


Is this PIX Version 7.x or 6.x?


debug aaa authentication

debug aaa authorization

debug radius all


Regards


Farrukh

Actions

This Discussion