Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
613
Views
0
Helpful
2
Replies

Locked out of PIX/Command Auth

slug420
Level 1
Level 1

‎03-18-2005 11:17 PM - edited ‎03-10-2019 02:04 PM

here's a good one...

so within our LAN there is a secured network isolated by PIXs. Most networking devices in our LAN including these PIXs were using a csacs server on the LAN for authentication while additional firewalls and other devices inside this secured environment are using a separate csacs server that is within that isolated environment.

I established a remote access VPN to the PIX on the border of this isolated network in order to manage an internal device from within the corporate LAN.

Once configured I wanted to cut over the AAA to the internal servers since they are using securid. I logged into the pix, added 2 lines, one for each of the 2 internal tacacs servers. and then removed the line for the external server.

unfortunately, and much to my surprise I assure you, it appears that the this pix was also doing command authorization against the outside tacacs server and since the inside server is not configured for command auth, I am not authorized to do anything.

The good news is that because im not authorized to do anything i could not wr mem, so if worst comes to worst I could reboot and have the old config back...the bad news is its not going to be easy to find a time when this fw can be rebooted.

So as it is now, I cannot ssh into the firewall (not sure why, but this appears to have gotten messed up when I switched the servers too). I can console in, but when I did I was already in enable mode (it was a hectic few hours, I must have logged into enable mode), and the only command I was authorized to perform was show, not even exit or conf t or anything.

So I believe I need to figure out how to configure the internal tacacs box to authorize everyone to use any command on the pix in hopes that gives my console user some priveleges to get things headed in the right direction.

Aside from reading the AAA/CSACS docs on univercd, can anyone offer me some quick tips on how to easily grant authorization to everyone to use all commands?

thanks in advance. And no, there is no charge for having been entertained at my expense...

Labels:
0 Helpful
2 Replies 2

slug420
Level 1
Level 1

‎03-21-2005 05:18 AM

if you change the aaa server config on a pix, and then do not wr mem or log in for 24 or 48 hours or something, does it remove those commands??

I came in this morning and they are gone and I am able to log in and my commands are authorized against the old server.

I checked uptime and it did not reboot over the weekend.

Anyone know how this happened?

0 Helpful

slug420
Level 1
Level 1
In response to slug420

‎03-21-2005 08:23 AM

hehe...

so it looked like the commands were gone this morning because i was doing a show conf, not a show run (remember i never wrote to mem)

i couldnt log in and my commands were not being authorized on friday because i believe i was making the changes on the backup csacs server and did not think to replicate the db.

0 Helpful
Customers Also Viewed These Support Documents