Solved: Re: PIX, PDM and AAA problems

dlsaunders · ‎10-01-2003

I have a PIX 520 in the lab running 6.3.3 and PDM 3.0. I am testing AAA authentication and authorization to our ACS server and am running into problems.

I have two groups set up on our ACS server. One group has full access, the other group is is set up with a Shell Command Authorization Set that limits commands so that they can look at the running-config and a few other things. Users from both groups can log into the PDM and/or SSH/telnet/serial into the device and are authenticated and authorized properly.

The configuration listed below works great, until I pull the ACS server off of the network. Since there isn't any backup authentication or command authorization method I am dead in the water. When this happens, I can still log in via the serial console using the 'pix' username and enable password, I just can't run the 'enable' command to get into privlieged mode or any other command for that matter. (I get a 'Command authorization failed' error).

Here's a the current configuration:

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 1.2.3.4 123456 timeout 5

aaa authentication telnet console TACACS+

aaa authentication ssh console TACACS+

aaa authentication serial console TACACS+

aaa authentication enable console TACACS+

aaa authentication http console TACACS+

aaa authorization command TACACS+

Is there any way to set up a backup method for authentication and command authorization? If not, is there any other way around the problem that I am running into?

Let me know if you need any more info. Thanks!

scoclayton · ‎10-08-2003

Hi,

Sorry, I missed this earlier. There is a known deficiency on the PIX for this and we have an open enhancement request to add multiple authorization methods to the PIX - CSCea04538. At this point, your best bet is to bug your account team to get this feature added to upcoming PIX code. Sorry for the inconveinence.

Scott

View solution in original post

drolemc · ‎10-07-2003

To backup command authorization for users if the TACACS server fails, you need to modify your configuration along the following lines:

username privilege password 0

.......

....

Now, if the TACACS server fails, users associated with a given level will have access to all commands associated with that level (configured by privilege exec level ).

dlsaunders · ‎10-08-2003

That should work for an IOS router. It does not appear to work with the PIX though (syntax modified to match PIX commands, of course). Thanks for the input though.

The enable command is at privilege level 0 by default:

testpix# sh privilege command enable

privilege configure level 0 mode enable command enable

With connectivity to the TACACS server removed and logging in with the default pix username (privilege level 1) and enable password, here's what I see:

Username: pix

Password: *******

aaa server host machine not responding

Type help or '?' for a list of available commands.

testpix> en

aaa server host machine not responding

Command authorization failed

Since 'aaa authorization command TACACS+' is enabled, the PIX doesn't allow me to to run the enable command (or any other command for that matter), even though the user logged in (pix) is at privilege level 1 and the enable command is at privilege level 0.

Any ideas?

scoclayton · ‎10-08-2003

Hi,

Sorry, I missed this earlier. There is a known deficiency on the PIX for this and we have an open enhancement request to add multiple authorization methods to the PIX - CSCea04538. At this point, your best bet is to bug your account team to get this feature added to upcoming PIX code. Sorry for the inconveinence.

Scott

dlsaunders · ‎10-08-2003

Thanks for the information. I guarantee we will be bugging our account team on this one! Thanks... Dustin