Cisco Support Community
Community Member

PIX & CSACS, authenticate w/ radius then local

I want to setup a pix firewall to autenticate thr. RADIUS first then, if RADIUS is unavailable, thr. LOCAL.

By default, if RADIUS is unavailable it uses the user/pass : pix/enable passwd

I can do this on routers, but I don't know how to do it on pix firewalls.

Pls help.

Thank you.


Re: PIX & CSACS, authenticate w/ radius then local

What version of the pix firewall are you running?

Do you have more than one radius server?

Here is a quote from the pix 6.3 (the latest avail. version):

The PIXFirewall permits only one authentication type per network. For example, if one network connects through the PIXFirewall using TACACS+ for authentication, another network connecting through the PIXFirewall can authenticate with RADIUS, but one network cannot authenticate with both TACACS+ and RADIUS.

Since 6.3 is the latest, it may appear that you cannot do on the pix what can be done on an IOS based router. I would contact Cisco TAC to verify this. Normally the doc is well written and organized, at least from what I have seen on the pix 6.1 and higer code levels, so if using two types of authentication is not listed as an example then it probably can't be done.

Community Member

Re: PIX & CSACS, authenticate w/ radius then local

Ideed i cannot.

It looks like in 7.0 I will be able to.

Couple of months to go now ...

CreatePlease to create content