Re: Configuring AAA Tacacus + with PIX 525

soshomile · ‎07-04-2007

Deal All;

I wanted to configure the PIX 525 for authentication from an ACS server, what else would I need apart from the following;

aaa-server authentication protocol tacacs+

aaa-server authentication (inside) host 172.16.1.152 cisco timeout 5

please help me out in this secnario.

regards

sosho

parmsing · ‎07-04-2007

Hi,

You are missing aaa authentication command. Here is the link which should provide you further information on aaa authentication on PIX.

http://www.cisco.com/en/US/customer/docs/security/asa/asa72/command/reference/a1_72.html#wp1437931

HTH

Parminder

soshomile · ‎07-04-2007

Dear Parminder;

sorry i don't have CCO account right now. could you please provide me PIX 525 basic AAA configuration commands. i would be very thankfull to u.

Regards

Sosho

parmsing · ‎07-04-2007

Hi Sosho,

Here are the commands we should have in the pix.

aaa authentication console telnet/ssh/console tacacs+ LOCAL

aaa-server authentication protocol tacacs+

aaa-server authentication (inside) host 172.16.1.152 cisco timeout 5

We are using "LOCAL" as fallback method if incase tacacs is not reachable. Please make sure that you are running pix code 6.3.4 or above as fallback method was not introduced in earlier PIX codes.

Also create local account in case of fallback.

-Parminder

soshomile · ‎07-04-2007

Thank u very much for submitting usefull information;

it is confirmed that i havd 6.3.5;

if in case AAA server didn't reply and v don't have any other local authetication method defined in that case how we would logged into PIX. could v exampt console logging from AAA authentication any way...?

parmsing · ‎07-04-2007

In tacacs server is not available authentication process would fallback to the LOCAL database for authentication.

If you want to configure only telnet session to be authenticated from the tacacs server then use the following command.

aaa authentication console telnet tacacs+ LOCAL

However; you can replace "telnet" keyword with ssh or console, as per your requirement.

Above we have defined, if tacacs is not available try "LOCAL" database accounts for authentication. So make sure we have some users defined before you configure aaa authentication command in the PIX config.

In aaa authentication commad we have mentioned "telnet" which means tacacs authentication would only be enabled for the "telnet" sessions not for SSH or console access to the pix.

-Parminder

soshomile · ‎07-04-2007

Dear Parminder;

As per your kind information, if i want "vpdn" authentication and accounting i would only replace "telnet" to "vpdn". (i have configured vpdn for VPN terminations). if vpdn is not recognized key word for that please tel me how can i add vpdn authentication and accounting......

i will wait for your kind reply.....

-Sosho-

parmsing · ‎07-04-2007

Hi Sosho,

We cannot configure fallback authentication for the VPDN authentication. I wold suggest you to configure local authentication first and make sure that config is working, after that go ahead configure the radius authentication commands in the config. Here is the sample command for your reference.

vpdn group l2tpipsec client authentication aaa Radius

vpdn group l2tpipsec client accounting Radius

In above commands "l2tpipsec" is VPDN group.

-Parminder