Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

TACACS+ authorization PIX6.3/ACS3.3

I have got PIX 501 Firewall Software versions 6.3

I have adjusted ACS_3.3 server and now can authentication

enable password cisco

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 1.2.3.4 ciscokey timeout 5

aaa authentication telnet console TACACS+

aaa authentication ssh console TACACS+

But I want to adjust authorization,

because I need to specify what commands users on pix can use.

And I try on PIX:

aaa authorization command TACACS+

And on ACS (see picture).

I see after logon:

login as: admin

Sent username "admin"

admin@192.168.22.29's password:

Type help or '?' for a list of available commands.

PIX> enable

Password: **********

PIX# sh ver

Command authorization failed

PIX# sh run

Command authorization failed

Where is my error?

AND second question.

I try on PIX:

aaa authentication enable console TACACS+

I try the tacacs coming from ACS but I don't understand why my account don't go to # lvl 15 priv but I need to insert the enable command. And my local enable don't match at this case.

4 REPLIES
Community Member

Re: TACACS+ authorization PIX6.3/ACS3.3

I have attached a .zip file with screenshots of ACS and commands in Pix . Let me know if this helps .

Community Member

Re: TACACS+ authorization PIX6.3/ACS3.3

One problem was solved. Authorization works.

My error:

I try: aaa authentication enable console TACACS+ LOCAL

OR

aaa authorization command TACACS+ LOCAL

but not together.

Problem1:

But now I don't see any records in ACS from PIX:

Reports and Activity->

TACACS+ Accounting

TACACS+ Administration

Problem2:

my account don't go to # lvl 15 priv and I need to insert the enable command.

Though:

Group User->MyGroup->

Enable Options: Max Privilege for any AAA Client - Level15

Shell (exec): Privilege level 15

Community Member

Re: TACACS+ authorization PIX6.3/ACS3.3

Config on PIX:

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host 1.2.3.4 cisco timeout 5

aaa-server LOCAL protocol local

aaa authentication ssh console TACACS+

aaa authentication telnet console TACACS+

aaa authentication http console TACACS+

aaa authentication enable console TACACS+

aaa authorization command TACACS+

Community Member

Re: TACACS+ authorization PIX6.3/ACS3.3

Issue 1:

If you are using pix code 6.3.4 and below the accounting is only possible for pass through connections i.e traffic passing through the Pix . For admin session accounting is not possible on the ACS server . You need to have Pix code 7.0 and above for the same .

Issue 2

I am not sure abt this but to what i remenber Pix will not behave like IOS devices where you can directly fall into the enable mode (if you have Shell exec checked in the ACS and priv level 15 configured )

321
Views
0
Helpful
4
Replies
CreatePlease to create content