Re: Login Problem to PIX if TACACS fails

lvrak2102 · ‎10-20-2005

Hi All,

I tried to integrate PIX535 with tacacs, under normal circumstences everything is working fine. But tacacs fails i'm unable to get the login.

a.kiprawih · ‎10-21-2005

Hi,

Unlike router, PIX does not provide you the option to use local database if the AAA server unreachable or failed.

Normally, you need to specify the tacacs+ server & group, then tie the access method to the tacacs using "aaa authentication " command.

Maybe you should consider using LOCAL database via ssh as a backup.

Rgds,

AK

lvrak2102 · ‎10-26-2005

Hi,

Appreciate your help, I'm trying to access from outside interface which works on ssh as telnet doesn't work on the outside interface.

How do you go about this.

Rgds,

lvrk

mironduplessis · ‎10-28-2005

Hi,

If you are using version 7 you can use local authentication as a backup as you would on standard IOS. You may be able to do it on the version prior but not 100% about that.

Regards

Miron

altaf007 · ‎10-21-2005

I think u can use "pix" as username and "pix" as password. No quotation ..I had to do it last year when AAA was down..

altaf

sbrozius · ‎10-28-2005

If that works, it should be username 'pix' and for password the enable-password or secret of the unit.

jason.drury · ‎11-22-2005

Actually, "pix" is the default username of the ssh user. The default password of this account is "cisco", and can be changed with the "passwd" command (same password if you have telnet enabled). Hopefully the person who has their password set to pix changes that since someone can DoS your RADIUS/TACACS server and then use pix/pix to login. That's not very secure!

jason.drury · ‎11-22-2005

If the PIX fails to communicate with the tacacs server after 3 attempts, it will allow you to login as the user "pix". This is the default local user when you enable SSH.