06-20-2007 04:10 PM - edited 03-10-2019 03:13 PM
Hello. If I wanted to configure the PIX for authentication from an ACS server (for the purpose of PIX management), what else would I need apart from the following:
aaa-server Admin-FW protocol tacacs+
aaa-server Admin-FW max-failed-attempts 3
aaa-server Admin-FW deadtime 10
!
aaa-server Admin-FW (inside) host 192.168.2.9 access timeout 10
!
aaa authentication serial console Admin-FW
aaa authentication telnet console Admin-FW
aaa authentication ssh console Admin-FW
AFAIK, I have not specified what IP addresses that someone can telnet from to log onto the PIX. I have tried the following, but I'm sure I haven't provided the correct statements:
aaa authentication include telnet inside 192.168.0.0 255.255.0.0 Admin-FW
... and I get a Username / Password prompt on the PIX but it keeps asking for a username and password. I know my TACACS account is fine since I can log onto routers with the same details as what I am using to authenticate to the PIX.
I also ran a debug on the PIX when I was trying to authenticate. The output is attached.
Thanks,
Timothy
Solved! Go to Solution.
06-20-2007 04:33 PM
Hi Tim,
There is no need for command,
aaa authentication include telnet inside 192.168.0.0 255.255.0.0 Admin-FW
Try now and see if you get any hits on ACS. Incase it is not working , pls get the debugs again.
Thanks,
Jagdeep
06-20-2007 04:33 PM
Hi Tim,
There is no need for command,
aaa authentication include telnet inside 192.168.0.0 255.255.0.0 Admin-FW
Try now and see if you get any hits on ACS. Incase it is not working , pls get the debugs again.
Thanks,
Jagdeep
06-20-2007 05:39 PM
Hi,
Config seems to be just fine, though you can still go through following :
Telnet access :
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sysmgmt.html#wp1022109
SSH access :
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sysmgmt.html#wp1034079
"aaa authentication include telnet inside 192.168.0.0 255.255.0.0 Admin-FW"
Above command is for pass through traffic, and has no role for Administrative authentication. So you can remove this.
Apart from that, in your debugs I see this,
150: Processing a rejection for user
151: Processing a rejection for user
*152: Marking server 192.168.2.9 down in servertag Admin-FW*
153: Processing a rejection for user
154: Processing a rejection for user
Can you check your ACS server logs pass/fail, to see of you are even touching the ACS server.
I am sure you must have defined a AAA client entry for PIX as a TACACS+ client.
Please look into that. As from these debugs it seems like, PIX is considering it dead.
Debugs that can help you :
debug aaa authentication
debug aaa authorization
Also, as you are using version 6.3(5),
Create a local account on PIX, and use these commands,
aaa authentication serial console Admin-FW LOCAL
aaa authentication telnet console Admin-FW LOCAL
aaa authentication ssh console Admin-FW LOCAL
So that you always have a fallback.
Regards,
Prem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide