Cannot Enable on PIX Using ACS

kendo.igor · ‎11-10-2002

I'm using PIX 515E with the latest image. Also using ACS 3.02.

I've entered the following commands to use the ACS for authentication via TACACS+:

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 10.1.1.21 key1 timeout 10

aaa authentication telnet console TACACS+

aaa authentication enable console TACACS+

I've created a user in ACS and checked the option to use the same password for everything. Also I've given the user the max privilege of 15 and enable permission.

I can telnet into pix fine, but credentials get refused when I try to "enable". Any idea?

Thanks,

gfullage · ‎11-11-2002

What do you see in the Failed Attempts log on the ACS server? The privilege level shouldn't matter, but the user will definately need the enable permission set under their configuration.

kendo.igor · ‎11-11-2002

I just noticed that it only fails when I try to login from telnet. When I try to login from console (Hyperterminal) it works as it should and it's fine.

Under user properties of ACS, I've selected :

TACACS+ Enable Password > User CiscoSecure PAP Password

TACACS+ Enable Control > Max Privelege for any AAA client:15

When I telnet to PIX using puTTy, this is what I get:

User Access Verification

Username: user10

Password: ******

Type help or '?' for a list of available commands.

cwfw01> login

Username: user10

Password: ******

%Login failed

Username: user10

Password: ******

%Login failed

Username: user10

Password: ******

%Login failed

cwfw01>

I've enabled logging for both successful and failed Attempts, but the strange thing is that there are no entries under failed attempts related to the failed attempts listed above. I've clicked on Refresh after each attempt.

If I try to login using "enable" command and entering the enable password, login fails and gets recorded in "failed attempts".

Thanx.

kendo.igor · ‎11-11-2002

I just found out what I was doing wrong. I should use "enable", not "login".

Thanks very much for your help.