I have a PIX 515E running Cisco PIX Firewall Version 6.3(5)123. I am looking to have Management users connect to the PIX with their Active Directory credentials to manage the PIX. I have been successful in configuring this for all my switches, (2950s, 2960s 3350s etc.) but it does not work with the PIX.
Will deleting the below line affect me using local credentials to login, as that is all I can use to get on the box right now.
aaa-server LOCAL protocol local
Here are the error messages. Looks to be username and password however these are the same I use to access my switches through the same manner. There does not look to be any match for policy.
In IAS I have the policy at the top of the list and the conditions are the Client-Friendly-Name matches 172.18.0.2 AND Windows-Groups matches a group the user is in. Are there any particular attributes required for a PIX login such as I have for accessing my switches?
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Time: 8:26:27 AM
User cmanage was denied access.
Fully-Qualified-User-Name = domain\cmanage
NAS-IP-Address = 172.18.0.2
Calling-Station-Identifier = 172.18.7.7
Client-Friendly-Name = 172.18.0.2
Client-IP-Address = 172.18.0.2
NAS-Port = 4183
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Type = PAP
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
57: ssh authentication for user cmanage, session id: 1503537791
58: Received response: cmanage, session id 1503537791
59: Making authentication request for host 172.18.1.1, user cmanage, session id: 1503537791
60: Processing challenge for user cmanage, session id: 1503537791, challenge: Password:
When you are authenticating on the PIX, is it rejecting the username/password (login authentication) or login authentication is working fine and it is failing at the 'enable authentication' step? Because for enable authentication to work you need to setup a user called $enable15$ in RADIUS, have you done that? If this is the case, you may temporarily use the LOCAL database for authentication to test.
Also can you provide more detailed debugs from the PIX, it seems you only ran radius debugs, please run all of the following
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :