03-04-2004 05:45 AM - edited 02-21-2020 10:09 AM
i have a pix 506(6.2) and cisco ACS 3.0 windows2000 server with sp4, my only issue is that when i configure PIX ,basically from PDM and i make a simple username say X and put the password in the first password box for cisco secure database which says " Cisco secure for PAP " , and when i do http the authentication prompt appears and after putting name/password it pops 3 times in 10 seconds and then says AUTH failed...where am i going wrong ..no fancy features..just BASIC user authentication...it just wont go. im missing soem small loop...thanx in advance..
shukky
03-04-2004 06:53 AM
advisable u attach ur PIX config so u can get a precise answer.
03-04-2004 07:20 AM
heres my config:
nameif ethernet0 inside security100
nameif ethernet1 outside security0
enable password xxxx
enable password xxxx
passwd xxx
hostname PIX-506
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
access-list inside_authentication_AAA-PIX permit tcp 192.169.0.0 255.255.255.0 any
access-list inside_authorization_AAA-PIX permit tcp 192.169.0.0 255.255.255.0 any
access-list inside_accounting_AAA-PIX permit tcp 192.169.0.0 255.255.255.0 any
pager lines 24
logging on
logging timestamp
logging trap informational
logging host inside 192.169.0.2
no logging message 106015
no logging message 302014
interface ethernet0 10full
interface ethernet1 10full
mtu inside 1500
mtu outside 1500
ip address inside 192.169.0.1 255.255.255.0
ip address outside 192.168.0.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.169.0.2 255.255.255.255 inside
pdm location 192.169.0.5 255.255.255.255 inside
pdm location 192.169.0.6 255.255.255.255 inside
pdm logging notifications 100
pdm history enable
arp timeout 14400
global (outside) 1 192.168.0.240-192.168.0.254 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any echo-reply
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AAA-PIX protocol tacacs+
aaa-server AAA-PIX (inside) host 192.169.0.5 cisco timeout 30
url-server (inside) vendor websense host 192.169.0.5 timeout 30 protocol TCP version1
url-cache src_dst 128KB
aaa authentication http console LOCAL
aaa authentication match inside_authentication_AAA-PIX inside AAA-PIX
aaa authorization match inside_authorization_AAA-PIX inside AAA-PIX
aaa accounting match inside_accounting_AAA-PIX inside AAA-PIX
filter url http 192.169.0.0 255.255.255.0 0.0.0.0 0.0.0.0 longurl-truncate
http server enable
http 192.169.0.0 255.255.255.0 inside
http 192.169.0.2 255.255.255.255 inside
snmp-server host inside 192.169.0.2 trap
no snmp-server location
no snmp-server contact
snmp-server community XXXXXX
snmp-server enable traps
floodguard enable
sysopt uauth allow-http-cache
sysopt route dnat
auth-prompt prompt Whey u DEY GO????
auth-prompt accept Hollaa!!!!
auth-prompt reject Sorryoooo!!!
telnet 192.169.0.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
dhcpd dns 66.178.2.16
username xxx password xxxxx
privilege 2
terminal width 80
Cryptochecksum:xxxx
: end
PIX-506#
PIX-506#
03-05-2004 02:53 AM
pls...freinds...im still waiting for a working AAA solution to my problem..dont let me down
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide