cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

315
Views
4
Helpful
3
Replies
marl.beynon
Beginner

PIX TACACS+ authentication when server not available

Can anyonbe help me with this...

on a cisco router you can configure it to attempt to authenticate against the ACS server, and fail over to the local password.

I want to set up the same on a PIX firewall, but can find no way to get it to use a local password when the server is unavailable.

Any pointers.

thanks

3 REPLIES 3
wnspenny
Enthusiast

You have to be on the new PIX code, 6.3(4) that came out a few weeks ago. It allows a aaa failback.

Here are the commands to do it. In this example, I named the aaa server group TACACS+.

aaa-server TACACS+ (inside) host XXX.XXX.XXX.XXX {ACS_KEY} timeout {10}

aaa authentication ssh console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

You can also use the aaa authorization command for ACS command authorization.

aaa authorization command TACACS+ LOCAL

The problem I'm having with this is that I can't console into the PIX while authorizing to the ACS Server.

Thanks a lot.

MARK BAKER
Enthusiast

with pix 5.0(3)

with tacacs available

pix password: pix_internal_password

username: tacacs_user_name

password: tacacs_password

pix> enable

username: tacacs_user_name

password: tacacs_passord

pix#

when tacacs is down

pix password: internal_pix_password

username: pix

password: internal_pix_enable_password

*this takes awhile to timeout tacacs before accepting it*

pix> enable

username: pix

password: intermal_pix_enable_password

pix#

---------------------------------------------------

pix version 6.2(2)

with tacacs available

username: tacacs_username

password: tacacs_password

pix> enable

password: tacacs_configured_enable_password

pix#

without tacacs available

username: pix

password: internal_pix_enable_password

*takes awhile*

pix> enable

password: internal_pix_enable_password

*takes awhile*

pix#

this is the default behaviour of the pix. I only configured tacacs for login and enable on the pix. The recovery fuctionally is built into the pix as long as you have a password and enable password configured on the pix. Let me know if you have any other questions.

Content for Community-Ad