Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

aaa authorization and unavailable TACACS server scenario

I have setup a PIX to authentication users for telnet and enable access. I have setup authorization so a subset of users can only run show commands. This all works as expected.

The problem is when I simulate and network outage and try to get console access to the PIX. I cannot run the enable command because the command cannot be authorized. I would have to use password recovery means to gain access to the PIX. How do I get around this? Can I have the command authorization handled locally? Can I associated the show command with a lower priveledge level? If so, how and how do I limit user to that privledge level (via TACACS)? What do I forfeit by doing so?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: aaa authorization and unavailable TACACS server scenario

If the PIX is configured for TACACS authentiaction and TACACS server is not available to authenticate, there is no way to fallback or get around of this issue at this time.

You can configure the pix to fallback to local authentication if tacacs is not available.

Next release (i think 6.3 and above) will have a that feature available.

1 REPLY
Cisco Employee

Re: aaa authorization and unavailable TACACS server scenario

If the PIX is configured for TACACS authentiaction and TACACS server is not available to authenticate, there is no way to fallback or get around of this issue at this time.

You can configure the pix to fallback to local authentication if tacacs is not available.

Next release (i think 6.3 and above) will have a that feature available.

178
Views
0
Helpful
1
Replies
CreatePlease to create content