Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring PIX as Blocking Device w/TACACS+ Authentication

Hello,

I have a PIX running version 6.3(1). The PIX is configured to use a CSACS 3.1 Server for AAA Authentication and Authorization over TACACS+. The sensor is running 4.0(2)Sig46.

Before adding AAA to the PIX, the sensor was able to connect and set up shuns correctly. Since adding the AAA configuration to the PIX, I've been unable to get the sensor to connect to the PIX for shunning.

I created a login/password with admin rights for the IDS Sensor to connect for creating shuns. I able to manually authenticate and build shuns over both a Telnet and SSH connection using this login. I have tried deleting and re-adding the blocking device several times.

When I configure the PIX as a Telnet blocking device, I see the Net Device State as "initializing" when looking at the statistics in the IDM. When I configure the PIX as an SSH-DES blocking device, I see the state as "Inactive".

Please let me know if you have any suggestions - if not I guess I'll open a case with TAC. Thanks in advance for the assistance!

Regards,

Chad

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Configuring PIX as Blocking Device w/TACACS+ Authentication

Make sure the PIX is in the allowed host list. From the cli, type

config term

ssh host-key (ip of pix interface)

Verify that you have associated the pix with the correct

logical device. The logical device record contains the username,

password and enable password. Using IDM, It is selected from a

pulldown list on the blocking devices page.

4 REPLIES
Cisco Employee

Re: Configuring PIX as Blocking Device w/TACACS+ Authentication

Make sure your PIX basic access password and the TACACS+ password

are the same.

This may not have found its way into the 4.0 documentation

yet, but can be found here in the 3.1 docs (see step 4):

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13870_01.htm#13213

New Member

Re: Configuring PIX as Blocking Device w/TACACS+ Authentication

OK, I have tried this. I have also tried setting the TACACS user password and enable password to mirror the basic password and enable password on the PIX. I am still seeing the same "initializing" state when I check on the status through the IDM.

Do you have any other suggestions? I've tried the configuration through the IDS MC and more directly through the IDM. I see the same status regardless.

Thanks again,

Chad

Cisco Employee

Re: Configuring PIX as Blocking Device w/TACACS+ Authentication

Make sure the PIX is in the allowed host list. From the cli, type

config term

ssh host-key (ip of pix interface)

Verify that you have associated the pix with the correct

logical device. The logical device record contains the username,

password and enable password. Using IDM, It is selected from a

pulldown list on the blocking devices page.

New Member

Re: Configuring PIX as Blocking Device w/TACACS+ Authentication

ssh host-key was the piece that resolved the problem.

Thanks again for the assistance.

Chad

195
Views
5
Helpful
4
Replies