Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA Rules for PIX515E 6.3(5)

Hello. If I wanted to configure the PIX for authentication from an ACS server (for the purpose of PIX management), what else would I need apart from the following:

aaa-server Admin-FW protocol tacacs+

aaa-server Admin-FW max-failed-attempts 3

aaa-server Admin-FW deadtime 10

!

aaa-server Admin-FW (inside) host 192.168.2.9 access timeout 10

!

aaa authentication serial console Admin-FW

aaa authentication telnet console Admin-FW

aaa authentication ssh console Admin-FW

AFAIK, I have not specified what IP addresses that someone can telnet from to log onto the PIX. I have tried the following, but I'm sure I haven't provided the correct statements:

aaa authentication include telnet inside 192.168.0.0 255.255.0.0 Admin-FW

... and I get a Username / Password prompt on the PIX but it keeps asking for a username and password. I know my TACACS account is fine since I can log onto routers with the same details as what I am using to authenticate to the PIX.

I also ran a debug on the PIX when I was trying to authenticate. The output is attached.

Thanks,

Timothy

1 ACCEPTED SOLUTION

Accepted Solutions

Re: AAA Rules for PIX515E 6.3(5)

Hi Tim,

There is no need for command,

aaa authentication include telnet inside 192.168.0.0 255.255.0.0 Admin-FW

Try now and see if you get any hits on ACS. Incase it is not working , pls get the debugs again.

Thanks,

Jagdeep

2 REPLIES

Re: AAA Rules for PIX515E 6.3(5)

Hi Tim,

There is no need for command,

aaa authentication include telnet inside 192.168.0.0 255.255.0.0 Admin-FW

Try now and see if you get any hits on ACS. Incase it is not working , pls get the debugs again.

Thanks,

Jagdeep

Re: AAA Rules for PIX515E 6.3(5)

Hi,

Config seems to be just fine, though you can still go through following :

Telnet access :

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sysmgmt.html#wp1022109

SSH access :

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sysmgmt.html#wp1034079

"aaa authentication include telnet inside 192.168.0.0 255.255.0.0 Admin-FW"

Above command is for pass through traffic, and has no role for Administrative authentication. So you can remove this.

Apart from that, in your debugs I see this,

150: Processing a rejection for user , session id: 1097271073

151: Processing a rejection for user , session id: 1097271073

*152: Marking server 192.168.2.9 down in servertag Admin-FW*

153: Processing a rejection for user , session id: 1097271073

154: Processing a rejection for user , session id: 1097271073

Can you check your ACS server logs pass/fail, to see of you are even touching the ACS server.

I am sure you must have defined a AAA client entry for PIX as a TACACS+ client.

Please look into that. As from these debugs it seems like, PIX is considering it dead.

Debugs that can help you :

debug aaa authentication

debug aaa authorization

Also, as you are using version 6.3(5),

Create a local account on PIX, and use these commands,

aaa authentication serial console Admin-FW LOCAL

aaa authentication telnet console Admin-FW LOCAL

aaa authentication ssh console Admin-FW LOCAL

So that you always have a fallback.

Regards,

Prem

304
Views
5
Helpful
2
Replies
CreatePlease to create content