PIX+AAA..simple issue

gopal_voip · ‎03-04-2004

i have a pix 506(6.2) and cisco ACS 3.0 windows2000 server with sp4, my only issue is that when i configure PIX ,basically from PDM and i make a simple username say X and put the password in the first password box for cisco secure database which says " Cisco secure for PAP " , and when i do http the authentication prompt appears and after putting name/password it pops 3 times in 10 seconds and then says AUTH failed...where am i going wrong ..no fancy features..just BASIC user authentication...it just wont go. im missing soem small loop...thanx in advance..

shukky

laje · ‎03-04-2004

advisable u attach ur PIX config so u can get a precise answer.

gopal_voip · ‎03-04-2004

heres my config:

nameif ethernet0 inside security100

nameif ethernet1 outside security0

enable password xxxx

passwd xxx

hostname PIX-506

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list inside_authentication_AAA-PIX permit tcp 192.169.0.0 255.255.255.0 any

access-list inside_authorization_AAA-PIX permit tcp 192.169.0.0 255.255.255.0 any

access-list inside_accounting_AAA-PIX permit tcp 192.169.0.0 255.255.255.0 any

pager lines 24

logging on

logging timestamp

logging trap informational

logging host inside 192.169.0.2

no logging message 106015

no logging message 302014

interface ethernet0 10full

interface ethernet1 10full

mtu inside 1500

mtu outside 1500

ip address inside 192.169.0.1 255.255.255.0

ip address outside 192.168.0.2 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 192.169.0.2 255.255.255.255 inside

pdm location 192.169.0.5 255.255.255.255 inside

pdm location 192.169.0.6 255.255.255.255 inside

pdm logging notifications 100

pdm history enable

arp timeout 14400

global (outside) 1 192.168.0.240-192.168.0.254 netmask 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any echo-reply

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa-server AAA-PIX protocol tacacs+

aaa-server AAA-PIX (inside) host 192.169.0.5 cisco timeout 30

url-server (inside) vendor websense host 192.169.0.5 timeout 30 protocol TCP version1

url-cache src_dst 128KB

aaa authentication http console LOCAL

aaa authentication match inside_authentication_AAA-PIX inside AAA-PIX

aaa authorization match inside_authorization_AAA-PIX inside AAA-PIX

aaa accounting match inside_accounting_AAA-PIX inside AAA-PIX

filter url http 192.169.0.0 255.255.255.0 0.0.0.0 0.0.0.0 longurl-truncate

http server enable

http 192.169.0.0 255.255.255.0 inside

http 192.169.0.2 255.255.255.255 inside

snmp-server host inside 192.169.0.2 trap

no snmp-server location

no snmp-server contact

snmp-server community XXXXXX

snmp-server enable traps

floodguard enable

sysopt uauth allow-http-cache

sysopt route dnat

auth-prompt prompt Whey u DEY GO????

auth-prompt accept Hollaa!!!!

auth-prompt reject Sorryoooo!!!

telnet 192.169.0.2 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

dhcpd dns 66.178.2.16

username xxx password xxxxx

privilege 2

terminal width 80

Cryptochecksum:xxxx

: end

PIX-506#

gopal_voip · ‎03-05-2004

pls...freinds...im still waiting for a working AAA solution to my problem..dont let me down