Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1871
Views
5
Helpful
4
Replies

Configuring PIX as Blocking Device w/TACACS+ Authentication

Go to solution
cgiulini
Level 1
Level 1

‎06-30-2003 05:13 AM - edited ‎02-21-2020 10:07 AM

Hello,

I have a PIX running version 6.3(1). The PIX is configured to use a CSACS 3.1 Server for AAA Authentication and Authorization over TACACS+. The sensor is running 4.0(2)Sig46.

Before adding AAA to the PIX, the sensor was able to connect and set up shuns correctly. Since adding the AAA configuration to the PIX, I've been unable to get the sensor to connect to the PIX for shunning.

I created a login/password with admin rights for the IDS Sensor to connect for creating shuns. I able to manually authenticate and build shuns over both a Telnet and SSH connection using this login. I have tried deleting and re-adding the blocking device several times.

When I configure the PIX as a Telnet blocking device, I see the Net Device State as "initializing" when looking at the statistics in the IDM. When I configure the PIX as an SSH-DES blocking device, I see the state as "Inactive".

Please let me know if you have any suggestions - if not I guess I'll open a case with TAC. Thanks in advance for the assistance!

Regards,

Chad

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
stleary
Cisco Employee
Cisco Employee
In response to cgiulini

‎06-30-2003 04:10 PM

Make sure the PIX is in the allowed host list. From the cli, type

config term

ssh host-key (ip of pix interface)

Verify that you have associated the pix with the correct

logical device. The logical device record contains the username,

password and enable password. Using IDM, It is selected from a

pulldown list on the blocking devices page.

View solution in original post

4 Replies 4

Go to solution
stleary
Cisco Employee
Cisco Employee

‎06-30-2003 10:41 AM

Make sure your PIX basic access password and the TACACS+ password

are the same.

This may not have found its way into the 4.0 documentation

yet, but can be found here in the 3.1 docs (see step 4):

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13870_01.htm#13213

0 Helpful

Go to solution
cgiulini
Level 1
Level 1
In response to stleary

‎06-30-2003 12:54 PM

OK, I have tried this. I have also tried setting the TACACS user password and enable password to mirror the basic password and enable password on the PIX. I am still seeing the same "initializing" state when I check on the status through the IDM.

Do you have any other suggestions? I've tried the configuration through the IDS MC and more directly through the IDM. I see the same status regardless.

Thanks again,

Chad

0 Helpful

Go to solution
stleary
Cisco Employee
Cisco Employee
In response to cgiulini

‎06-30-2003 04:10 PM

Make sure the PIX is in the allowed host list. From the cli, type

config term

ssh host-key (ip of pix interface)

Verify that you have associated the pix with the correct

logical device. The logical device record contains the username,

password and enable password. Using IDM, It is selected from a

pulldown list on the blocking devices page.

Go to solution
cgiulini
Level 1
Level 1
In response to stleary

‎07-01-2003 04:02 AM

ssh host-key was the piece that resolved the problem.

Thanks again for the assistance.

Chad

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents