Hi all, I am trying to get a pix 6.3 to authenticate telnet users via radius with a Microsoft IAS server. This works well, but Im trying to get it where when they log in, it just dumps them into enable mode, instead of typing in the enable AD credential again. Anyone have any insight on how to do this? Its a IAS configuration thing I know, but not sure what to do with it. Thanks in advance.
If you mean on firewall,
The unfortunately, Pix firewall does not have this concept, like IOS devices have.
On IOS you can get the user log directly into enable (Privileged exec) mode by passing attribute,
cisco av-pair as shell:priv-lvl=n or on some IOS only using Service Type as Administrative will do the trick.
Where, n is the privilege level.
AND, there has to be an EXEC authorization command on the IOS device, e.g.,
aaa authorization exec
Unfortunately, that is not the case for the Pix firewall, they have a different OS.
Please rate if it helps!
Even tough the exec authorization feature in the Cisco PIX/ASA is not 'completely' implemented, it does not mean you cannot do things like command authorization on the PIX/ASA. So let us know what exactly do you want to achieve and maybe we could help.
Hey, thanks. When I telnet into the device, and successfully log in, Id like it to dump me directly into enable mode. routername# instead of routername>
Do you know if there is a plan to support this in any later versions? In my work enviroment shared passwords are not allowed. Thanks.
You might want to contact your accounts team for the same.
If sharing of password is not allowed, then you can enable, enable password authentication on firewall, i.e.
aaa authentication enable console
And on the ACS server, under user's profile, make sure that enable password is selected as the user's account password against the respective database.
Thanks works great thanks. One more question...
On my IOS equipment, I am able to make it check the LOCAL db first then radius rather than radius first. Is there a way to do it this way on the ASA?
I think on your IOS this is how you are doing the authentication,
aaa authentication login default local group radius...
Local first and then Radius, right ?
If I understand you situation correctly, then that functionality/behavior is not how ASA/PIX firewall works.
If you specify LOCAL, then there is no other method available, i.e.,
aaa authentication telnet console LOCAL
But, you can specify the fallback as LOCAL in the event your Radius/Tacacs server is not available,
aaa authentication telnet console
Please rate if it helps!