Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
5
Helpful
2
Replies

AAA Rules for PIX515E 6.3(5)

Go to solution
tbogie_gvds
Level 1
Level 1

‎06-20-2007 04:10 PM - edited ‎03-10-2019 03:13 PM

Hello. If I wanted to configure the PIX for authentication from an ACS server (for the purpose of PIX management), what else would I need apart from the following:

aaa-server Admin-FW protocol tacacs+

aaa-server Admin-FW max-failed-attempts 3

aaa-server Admin-FW deadtime 10

!

aaa-server Admin-FW (inside) host 192.168.2.9 access timeout 10

!

aaa authentication serial console Admin-FW

aaa authentication telnet console Admin-FW

aaa authentication ssh console Admin-FW

AFAIK, I have not specified what IP addresses that someone can telnet from to log onto the PIX. I have tried the following, but I'm sure I haven't provided the correct statements:

aaa authentication include telnet inside 192.168.0.0 255.255.0.0 Admin-FW

... and I get a Username / Password prompt on the PIX but it keeps asking for a username and password. I know my TACACS account is fine since I can log onto routers with the same details as what I am using to authenticate to the PIX.

I also ran a debug on the PIX when I was trying to authenticate. The output is attached.

Thanks,

Timothy

Labels:
Preview file
1 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎06-20-2007 04:33 PM

Hi Tim,

There is no need for command,

aaa authentication include telnet inside 192.168.0.0 255.255.0.0 Admin-FW

Try now and see if you get any hits on ACS. Incase it is not working , pls get the debugs again.

Thanks,

Jagdeep

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎06-20-2007 04:33 PM

Hi Tim,

There is no need for command,

aaa authentication include telnet inside 192.168.0.0 255.255.0.0 Admin-FW

Try now and see if you get any hits on ACS. Incase it is not working , pls get the debugs again.

Thanks,

Jagdeep

0 Helpful

Go to solution
Premdeep Banga
Level 7
Level 7

‎06-20-2007 05:39 PM

Hi,

Config seems to be just fine, though you can still go through following :

Telnet access :

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sysmgmt.html#wp1022109

SSH access :

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/sysmgmt.html#wp1034079

"aaa authentication include telnet inside 192.168.0.0 255.255.0.0 Admin-FW"

Above command is for pass through traffic, and has no role for Administrative authentication. So you can remove this.

Apart from that, in your debugs I see this,

150: Processing a rejection for user , session id: 1097271073

151: Processing a rejection for user , session id: 1097271073

*152: Marking server 192.168.2.9 down in servertag Admin-FW*

153: Processing a rejection for user , session id: 1097271073

154: Processing a rejection for user , session id: 1097271073

Can you check your ACS server logs pass/fail, to see of you are even touching the ACS server.

I am sure you must have defined a AAA client entry for PIX as a TACACS+ client.

Please look into that. As from these debugs it seems like, PIX is considering it dead.

Debugs that can help you :

debug aaa authentication

debug aaa authorization

Also, as you are using version 6.3(5),

Create a local account on PIX, and use these commands,

aaa authentication serial console Admin-FW LOCAL

aaa authentication telnet console Admin-FW LOCAL

aaa authentication ssh console Admin-FW LOCAL

So that you always have a fallback.

Regards,

Prem

Customers Also Viewed These Support Documents