Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1267
Views
0
Helpful
1
Replies

PIX/FWSM command authorization?

gspadden
Level 1
Level 1

‎03-16-2005 06:54 AM - edited ‎03-10-2019 02:03 PM

Has anyone sucessfully implement command authorization on a PIX or FWSM?

My goal is to have three users (admin,backup,readonly) where admin user has all rights, the backup user can only issue the write net command, and the readonly can only do show commands.

I can sucessfully authenticate my tacacs users, but am getting stuck at the enable authentication. My tacacs+ server in debug mode gives the message:

enable query for 'admin' 24 from 10.1.2.4 rejected

Here is my tacacs config and my FWSM config:

user = $enable$ {

login = des xxxxx

}

user = $enab15$ {

login = des xxxxx

}

user = admin {

default service = permit

login = file /etc/passwd

}

user = backup {

login = nopassword

cmd = write { permit net

}

}

user = readonly {

login = des xxxxxx

cmd = show {

permit .*

}

cmd = quit {

permit .*

}

cmd = exit {

permit .*

}

cmd = * {

deny .*

}

}

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 1

aaa-server TACACS+ (outside) host 10.1.2.4 xxxxx timeout 10

aaa-server TACACS+ (outside) host 10.1.2.3 xxxxx timeout 10

aaa authentication ssh console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

Labels:
0 Helpful
1 Reply 1

gspadden
Level 1
Level 1

‎03-18-2005 06:28 AM

With the help from http://www.networkforums.net

Here is a working configuration that allows command authentication for the PIX using tacacs+ version 4.4

So that others may not suffer with the PIX like I did:

accounting file = /var/log/tacacs/tac_log.txt

key = verysecret

user = greg {

default service = permit

enable = file /etc/passwd

login = file /etc/passwd

cmd = enable { permit .* }

}

user = backup {

enable = des xxxxxx

login = des yyyyy

cmd = write { permit net }

cmd = enable { permit .* }

cmd = exit { permit .* }

cmd = quit { permit .*}

}

user = readonly {

enable = des wwwww

login = des zzzzz

cmd = show { permit .* }

cmd = quit { permit .* }

cmd = exit { permit .* }

cmd = enable { permit .* }

}

aaa-server TACACS+ (outside) host 10.1.2.4 verysecret timeout 5

aaa authentication ssh console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL

0 Helpful
Customers Also Viewed These Support Documents