Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

AAA on a PIX 7.2(1)

Hi all,

I have the following configuration on my routers:

aaa new-model

!

!

aaa authentication login default local group tacacs+

aaa authentication login console enable

aaa authentication enable default enable

aaa authorization exec default local group tacacs+ if-authenticated

aaa authorization exec console none

aaa authorization commands 15 default local group tacacs+ if-authenticated

aaa accounting delay-start

aaa accounting suppress null-username

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

This will basically let me login to my routers and by default go to privileged mode once authenticated.

My question is how can I do this with a PIX ASA version 7.2(1)?

I have the following on the firewall:

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server srv1 protocol tacacs+

aaa-server srv1 (outside) host 10.10.10.10

key XXXXXXX

aaa authentication serial console LOCAL

aaa authentication telnet console srv1 LOCAL

aaa authentication ssh console srv1 LOCAL

However, when I try to login I enter the user and pass but I am left only at the un-privileged mode and then I have to enter the enable mode password.

Regards,

Ahmad

8 REPLIES

Re: AAA on a PIX 7.2(1)

hi

can you also try configuring the below command ?

aaa authentication enable console srv1

regds

Community Member

Re: AAA on a PIX 7.2(1)

I did on a production firewall and unfortunately I was effectively locked out from the system :)

Did not seem to help, any clue?

Thanks

Community Member

Re: AAA on a PIX 7.2(1)

You need to enter on the pix the following to perform command level authorization:

==============================

aaa authorization command LOCAL

(this looks at a TACACS group for command level and if it cannot reach, looks at the LOCAL db).

Then on ACS you need to create a shell command set. (note, do not use the pixshell command set, as that is not implemented on pix).

Community Member

Re: AAA on a PIX 7.2(1)

He doesn't want to do Command Level Authorization, he just wants it to place him directly into enable mode when he logs in with his username and password.

Got any idea how to do that?

Community Member

Re: AAA on a PIX 7.2(1)

For Pix, it will only allow you to initially log in with user mode. If you are using Cisco ACS, you can go to the user setup and under TACACS+ enable password, you can select it to use the database that you want your users to authenticate with. For example, if you use Windows AD, then you can select that. Then when the user logs into the Pix with AD username and pw, it will be in user mode, type ena and it will prompt for password, then type your AD password again.

As far as I know, that is the only way to do it with a Pix.

Bronze

Re: AAA on a PIX 7.2(1)

In addition, the link bellow helps a lot!

http://www.cisco.com/en/US/tech/tk59/tsd_technology_support_troubleshooting_technotes_list.html

There are a lot of cases and instrunctions to configure authentication.

Regards,

Rafael Lanna

Community Member

Re: AAA on a PIX 7.2(1)

Hi,

you need to enter the authorization cmd in ASA firewall,so which once you get authenticated you would be entering into the privillage mode and not the unprivillage mode.

Only when you enter the authorization cmds , then the ASA firewall will decide that the particular user can able to enter into the privillage mode according to the confirguration.

Please let me know if you the configuration of that , let me send you.

Community Member

Re: AAA on a PIX 7.2(1)

Hi,

Just wanted to give you a pointer that command level on Router/switch and PIX/ASA is totally different. And similarly the concept of privileged and un-privileged mode.

In your case. If you need something like

Device#

On ASA, sorry thats not gonna work, as it was not designed, and is not not designed till date. There's no concept of exec authorization on PIX/ASA, only enable authentication.

What you can do is, depending on your requirement, assign commands to particular enable level/mode on ASA. and using ACS(TACACS+), let a group/user have privilege for that enable mode.

Something that might help you :

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/sysadmin/mgaccess.htm#wp1042026

Go through above link, and you'll have ample idea about changing commands privilege level.

But be assured, CLI for PIX/ASA dosent work as in case of legacy Router/switches, but Cisco is trying the bridge the gap =P

Regards,

Prem

223
Views
3
Helpful
8
Replies
CreatePlease to create content