03-18-2005 11:17 PM - edited 03-10-2019 02:04 PM
here's a good one...
so within our LAN there is a secured network isolated by PIXs. Most networking devices in our LAN including these PIXs were using a csacs server on the LAN for authentication while additional firewalls and other devices inside this secured environment are using a separate csacs server that is within that isolated environment.
I established a remote access VPN to the PIX on the border of this isolated network in order to manage an internal device from within the corporate LAN.
Once configured I wanted to cut over the AAA to the internal servers since they are using securid. I logged into the pix, added 2 lines, one for each of the 2 internal tacacs servers. and then removed the line for the external server.
unfortunately, and much to my surprise I assure you, it appears that the this pix was also doing command authorization against the outside tacacs server and since the inside server is not configured for command auth, I am not authorized to do anything.
The good news is that because im not authorized to do anything i could not wr mem, so if worst comes to worst I could reboot and have the old config back...the bad news is its not going to be easy to find a time when this fw can be rebooted.
So as it is now, I cannot ssh into the firewall (not sure why, but this appears to have gotten messed up when I switched the servers too). I can console in, but when I did I was already in enable mode (it was a hectic few hours, I must have logged into enable mode), and the only command I was authorized to perform was show, not even exit or conf t or anything.
So I believe I need to figure out how to configure the internal tacacs box to authorize everyone to use any command on the pix in hopes that gives my console user some priveleges to get things headed in the right direction.
Aside from reading the AAA/CSACS docs on univercd, can anyone offer me some quick tips on how to easily grant authorization to everyone to use all commands?
thanks in advance. And no, there is no charge for having been entertained at my expense...
03-21-2005 05:18 AM
if you change the aaa server config on a pix, and then do not wr mem or log in for 24 or 48 hours or something, does it remove those commands??
I came in this morning and they are gone and I am able to log in and my commands are authorized against the old server.
I checked uptime and it did not reboot over the weekend.
Anyone know how this happened?
03-21-2005 08:23 AM
hehe...
so it looked like the commands were gone this morning because i was doing a show conf, not a show run (remember i never wrote to mem)
i couldnt log in and my commands were not being authorized on friday because i believe i was making the changes on the backup csacs server and did not think to replicate the db.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide