configure aaa using TACACS+ for PIX 520

shankar_sify · ‎01-15-2005

Hello all,

I am trying to configure aaa using TACACS+ for PIX 520, i am not able to close. Problems are

1.It dosent ask for username /password in first level.

2.on second level it asks for user name it dosent authenticate the user .

Cud u pls let me know if the following config is correct.If not cud u help me .

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (outside) host ip.ip.ip.ip key timeout 15

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+

aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+

aaa authen enable console TACACS+

sstudsdahl · ‎01-18-2005

To get the PIX to ask for the username/password when you first access the system you need to add associate the access method to the TACACS+ authentication. You can do this for HTTP, SSH, and TELnet access with the commands:

aaa authentication http console TACACS+

aaa authentication ssh console TACACS+

aaa authentication telnet console TACACS+

The command that you have:

aaa authentication enable console TACACS+

tells the PIX to use TACACS+ when you try to get into enable mode.

Adding thee appropriate command from above based upon how you access your PIX should tell the PIX to use TACACS+ for the first level of access and should solve your first issue that you have listed.

As for the second issue of authentication not working, what messages are you seeing in the logs from your TACACS+ server? If you are using CiscoSecure ACS looking at the "Failed Attempts" report should give an idea as to what problems are occurring during the authentication. There should also be an entry in one of the logfiles (I don't recall which off of the top of my head) that would let you know if there is a problem with the setup of the PIX within ACS.

Steve