Re: AAA with PIX

rohit_s · ‎06-12-2006

I am using TACACS+ authentication and authorization for PIX integrated with the Cisco ACS 4.0

1. aaa authentication telnet console TACSERVER

2. aaa authentication enable console TACSERVER

3. aaa authorization command TACSERVER

Problem is:- When I execute disable command from the PIX privilege mode then I am not able to again enter into privilege mode by giving command Enable. It gives me a error message as command authorization failed.

Also while logging through console port, I get the prompt as PIX>. Now again after giving the Enable command same error message as above comes.

I feel command authorization is not working at PIX> prompt.

Need urgent solution...

a.hajhamad · ‎06-12-2006

I think the best and fast solution is to go to the ACS under your account and to shell command Authorization Set and select None....in order to permit any command you type at the PIX.

The aaa authorization command TACSERVER will check if you are allowed to do any typed command from the ACS or not, i think this will do some delay.

I hope this is helpful.

Plz. rate if it does!

Regards

Abd Alqader

rohit_s · ‎06-14-2006

Hi Alqader,

I have already applied full privileges to the account. But still its not working. I feel authorization works only from Privilege or config mode. But when I disable from privilege mode and give Enable or any other command, it fails (As I am now in unprivilege mode)

Surprisingly it works very first time when I telnet the PIX and enter into Unprivilege mode i.e.PIX>..I am even able to enter privilege mode from here.

But problem arises only after DISABLE command and from Console Connection.

a.hajhamad · ‎06-18-2006

Could you please paste your PIX config?

Thanks

Abd Alqader

brooks-el · ‎06-19-2006

I believe there is a place on ACS that specifies the user has shell access, its a check box under user and/or group settings. I believe that this option is checked when entering into priv mode.

exec shell check box...