I tried to reconfigure my PIX authorization. Im not authorized to issue any command on my PIX, I've already permitted all command in my ACS PIX Command authorization Set but theres no luck. I used my LOCAL account it still not working. See the messege below.
PIXA# show run
Fallback authorization. Username 'enable_15' not in LOCAL database
Command authorization failed
Appreciate your help,
You need to create a user as "enable_15" in local and tacacs database with privilege 15 and with permission to issue all commands.
Once you have it, fallback should work.
Do rate helpful posts
My fallback problem has been resolved. But i have another problem, whenever i enter the command "aaa authentication enable console" my PIX Command Authorization Set is not working, all command is permitted in other words. But when i removed it, and try to login again, im always getting "command authorizaton failed". I dont know what is causing that. Im using ACS v3.3 and PIX v722. Please help me on what should be the right command and config on my ACS and PIX. Here my current config.
aaa authentication telnet console TAC+ LOCAL
aaa authentication enable console TAC+ LOCAL
aaa authorization TAC+ LOCAL
Pix Command Authorization Set button selected.
Hi This is Tai and I have a problem with ASA5520. I forgot to add route on management interface whcih use for AAA authentication. The problem is I can't even use local account to login. I can login to system but not the context that I applied AAA. Please help
I really screw up my ASA now. We have two contexts on ASA, Con1 and Con2. I can get into Con2 since I didn't set up AAA on that. But I can't login Con2 I setup AAA on that and using mangement inerface for AAA. But both AAA and local acont is not working and I can not assign user name enable_15 on Con2. It doesn't accept admin local accont on that. Please help!!!!
if you have not saved the config try the reboot, AAA config will be deleted.
If you have saved the config, then check AAA logs.
If the logs dont help you, make the AAA server unreachable from ASA and it will take in local credential
In addition to that, please check your "failed attempt" logs in your ACS. It will gives you the reason why the login login fails. Check the reason code, nas and the username on your ACS failed attemp logs.
Hope it will help.
Thanks jong. But the main problem for me is I forgot to add route to management interface that enable AAA. I found out that Cisco have bug CSCsj56051 Bug and will try to upload new bin file and see if it is working for local. BTW, if I can edit the current admin context file and add route, will it be work? Thanks
I have another question. Let's say I have the context name Test.cfg currently using as admin conext. I just upload a new config file Test1.cfg to ASA. If I rename my Test1.cfg to Test.cfg, and rename Test.cfg to Test1.cfg, after I reboot the ASA, will it take the new config file Test.cfg? Thanks
Another one is do ASA must have the same IOS?