Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cannot Enable on PIX Using ACS

I'm using PIX 515E with the latest image. Also using ACS 3.02.

I've entered the following commands to use the ACS for authentication via TACACS+:

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 10.1.1.21 key1 timeout 10

aaa authentication telnet console TACACS+

aaa authentication enable console TACACS+

I've created a user in ACS and checked the option to use the same password for everything. Also I've given the user the max privilege of 15 and enable permission.

I can telnet into pix fine, but credentials get refused when I try to "enable". Any idea?

Thanks,

3 REPLIES
Cisco Employee

Re: Cannot Enable on PIX Using ACS

What do you see in the Failed Attempts log on the ACS server? The privilege level shouldn't matter, but the user will definately need the enable permission set under their configuration.

New Member

Re: Cannot Enable on PIX Using ACS

I just noticed that it only fails when I try to login from telnet. When I try to login from console (Hyperterminal) it works as it should and it's fine.

Under user properties of ACS, I've selected :

TACACS+ Enable Password > User CiscoSecure PAP Password

TACACS+ Enable Control > Max Privelege for any AAA client:15

When I telnet to PIX using puTTy, this is what I get:

User Access Verification

Username: user10

Password: ******

Type help or '?' for a list of available commands.

cwfw01> login

Username: user10

Password: ******

%Login failed

Username: user10

Password: ******

%Login failed

Username: user10

Password: ******

%Login failed

cwfw01>

I've enabled logging for both successful and failed Attempts, but the strange thing is that there are no entries under failed attempts related to the failed attempts listed above. I've clicked on Refresh after each attempt.

If I try to login using "enable" command and entering the enable password, login fails and gets recorded in "failed attempts".

Thanx.

New Member

Re: Cannot Enable on PIX Using ACS

I just found out what I was doing wrong. I should use "enable", not "login".

Thanks very much for your help.

101
Views
0
Helpful
3
Replies
CreatePlease login to create content