11-16-2009 11:58 AM - edited 03-10-2019 04:48 PM
Hello,
I have a PIX 515E running Cisco PIX Firewall Version 6.3(5)123. I am looking to have Management users connect to the PIX with their Active Directory credentials to manage the PIX. I have been successful in configuring this for all my switches, (2950s, 2960s 3350s etc.) but it does not work with the PIX.
Here is the AAA info I have:
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 172.18.1.1 mykey timeout 5
aaa-server LOCAL protocol local
aaa authentication ssh console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL
aaa authentication serial console RADIUS LOCAL
aaa authentication enable console RADIUS LOCAL
aaa authorization command LOCAL
Anyone have any clear documents or examples of a setup like this?
Thanks,
Craig
11-21-2009 06:16 AM
Hi Craig,
The proposed config looks good.
============================================
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host 172.18.1.1 mykey timeout 5
aaa authentication ssh console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL
aaa authentication serial console RADIUS LOCAL
aaa authentication enable console RADIUS LOCAL
=============================================
Just delete this command :
aaa-server LOCAL protocol local
#Question#: When you try to authenticate via AD credentials; what error meassge you see in the event viewer of IAS server?
Also, run the following debugs on the PIX
debug aaa authentication
debug radius
And check the authentication via test command:
---------------------------------------------------------------------
test aaa authentication RADIUS host 172.18.1.1
username:
password:
---------------------------------------------------------------------
after that attach the output of the debugs with your next post.
HTH
JK
11-24-2009 04:58 AM
Hi JK,
Thanks for the response.
Will deleting the below line affect me using local credentials to login, as that is all I can use to get on the box right now.
aaa-server LOCAL protocol local
Here are the error messages. Looks to be username and password however these are the same I use to access my switches through the same manner. There does not look to be any match for policy.
In IAS I have the policy at the top of the list and the conditions are the Client-Friendly-Name matches 172.18.0.2 AND Windows-Groups matches a group the user is in. Are there any particular attributes required for a PIX login such as I have for accessing my switches?
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 11/24/2009
Time: 8:26:27 AM
User: N/A
Computer: ADDC1
Description:
User cmanage was denied access.
Fully-Qualified-User-Name = domain\cmanage
NAS-IP-Address = 172.18.0.2
NAS-Identifier =
Called-Station-Identifier =
Calling-Station-Identifier = 172.18.7.7
Client-Friendly-Name = 172.18.0.2
Client-IP-Address = 172.18.0.2
NAS-Port-Type =
NAS-Port = 4183
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name =
Authentication-Type = PAP
EAP-Type =
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
57: ssh authentication for user cmanage, session id: 1503537791
58: Received response: cmanage, session id 1503537791
59: Making authentication request for host 172.18.1.1, user cmanage, session id: 1503537791
60: Processing challenge for user cmanage, session id: 1503537791, challenge: Password:
61: Sending challenge for user: cmanage, pass: ****, session id: 1503537791
62: Received response: , session id 1503537791
63: Making authentication request for host 172.18.1.1, user cmanage, session id: 1503537791
64: Received response: , session id 1503537791
65: Making authentication request for host 172.18.1.1, user cmanage, session id: 1503537791
66: Received response: , session id 1503537791
67: Making authentication request for host 172.18.101.1, user cmanage, session id: 1503537791
68: Received response: , session id 1503537791
69: Making authentication request for host 0.0.0.0, user cmanage, session id: 1503537791
There does not look to be a "test" command for this version of PIX
11-25-2009 04:46 AM
Have you added the PIX as a AAA client on the NAS?
As per your output, IAS is unable to map the policy to the PIX. Try making another policy for testing without the client friendly name restriction (even tough I can see that the PIX is passing it).
Regards
Farrukh
12-08-2009 12:07 PM
Yes it is added as a AAA client. Without the freindly name makes no difference.
12-14-2009 10:28 PM
Sorry I was on a short vacation, were you able to solve this issue?
12-15-2009 04:24 AM
No. Still unsolved.
12-15-2009 09:41 AM
When you are authenticating on the PIX, is it rejecting the username/password (login authentication) or login authentication is working fine and it is failing at the 'enable authentication' step? Because for enable authentication to work you need to setup a user called $enable15$ in RADIUS, have you done that? If this is the case, you may temporarily use the LOCAL database for authentication to test.
Also can you provide more detailed debugs from the PIX, it seems you only ran radius debugs, please run all of the following
Is this PIX Version 7.x or 6.x?
debug aaa authentication
debug aaa authorization
debug radius all
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: