07-04-2007 02:49 AM - edited 03-10-2019 03:15 PM
Deal All;
I wanted to configure the PIX 525 for authentication from an ACS server, what else would I need apart from the following;
aaa-server authentication protocol tacacs+
aaa-server authentication (inside) host 172.16.1.152 cisco timeout 5
please help me out in this secnario.
regards
sosho
07-04-2007 03:00 AM
Hi,
You are missing aaa authentication command. Here is the link which should provide you further information on aaa authentication on PIX.
http://www.cisco.com/en/US/customer/docs/security/asa/asa72/command/reference/a1_72.html#wp1437931
HTH
Parminder
07-04-2007 03:05 AM
Dear Parminder;
sorry i don't have CCO account right now. could you please provide me PIX 525 basic AAA configuration commands. i would be very thankfull to u.
Regards
Sosho
07-04-2007 03:14 AM
Hi Sosho,
Here are the commands we should have in the pix.
aaa authentication console telnet/ssh/console tacacs+ LOCAL
aaa-server authentication protocol tacacs+
aaa-server authentication (inside) host 172.16.1.152 cisco timeout 5
We are using "LOCAL" as fallback method if incase tacacs is not reachable. Please make sure that you are running pix code 6.3.4 or above as fallback method was not introduced in earlier PIX codes.
Also create local account in case of fallback.
-Parminder
07-04-2007 03:23 AM
Thank u very much for submitting usefull information;
it is confirmed that i havd 6.3.5;
if in case AAA server didn't reply and v don't have any other local authetication method defined in that case how we would logged into PIX. could v exampt console logging from AAA authentication any way...?
07-04-2007 03:31 AM
In tacacs server is not available authentication process would fallback to the LOCAL database for authentication.
If you want to configure only telnet session to be authenticated from the tacacs server then use the following command.
aaa authentication console telnet tacacs+ LOCAL
However; you can replace "telnet" keyword with ssh or console, as per your requirement.
Above we have defined, if tacacs is not available try "LOCAL" database accounts for authentication. So make sure we have some users defined before you configure aaa authentication command in the PIX config.
In aaa authentication commad we have mentioned "telnet" which means tacacs authentication would only be enabled for the "telnet" sessions not for SSH or console access to the pix.
-Parminder
07-04-2007 03:38 AM
Dear Parminder;
As per your kind information, if i want "vpdn" authentication and accounting i would only replace "telnet" to "vpdn". (i have configured vpdn for VPN terminations). if vpdn is not recognized key word for that please tel me how can i add vpdn authentication and accounting......
i will wait for your kind reply.....
-Sosho-
07-04-2007 04:03 AM
Hi Sosho,
We cannot configure fallback authentication for the VPDN authentication. I wold suggest you to configure local authentication first and make sure that config is working, after that go ahead configure the radius authentication commands in the config. Here is the sample command for your reference.
vpdn group l2tpipsec client authentication aaa Radius
vpdn group l2tpipsec client accounting Radius
In above commands "l2tpipsec" is VPDN group.
-Parminder
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide