Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
944
Views
4
Helpful
3
Replies

PIX TACACS+ authentication when server not available

marl.beynon
Level 1
Level 1

‎07-20-2004 06:12 AM - edited ‎03-10-2019 07:55 AM

Can anyonbe help me with this...

on a cisco router you can configure it to attempt to authenticate against the ACS server, and fail over to the local password.

I want to set up the same on a PIX firewall, but can find no way to get it to use a local password when the server is unavailable.

Any pointers.

thanks

Labels:
0 Helpful
3 Replies 3

wnspenny
Level 4
Level 4

‎08-09-2004 03:58 PM

You have to be on the new PIX code, 6.3(4) that came out a few weeks ago. It allows a aaa failback.

Here are the commands to do it. In this example, I named the aaa server group TACACS+.

aaa-server TACACS+ (inside) host XXX.XXX.XXX.XXX {ACS_KEY} timeout {10}

aaa authentication ssh console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

You can also use the aaa authorization command for ACS command authorization.

aaa authorization command TACACS+ LOCAL

The problem I'm having with this is that I can't console into the PIX while authorizing to the ACS Server.

0 Helpful

arturo.reyna
Level 1
Level 1
In response to wnspenny

‎08-25-2004 04:25 PM

Thanks a lot.

0 Helpful

MARK BAKER
Level 4
Level 4

‎08-19-2004 11:16 AM

with pix 5.0(3)

with tacacs available

pix password: pix_internal_password

username: tacacs_user_name

password: tacacs_password

pix> enable

username: tacacs_user_name

password: tacacs_passord

pix#

when tacacs is down

pix password: internal_pix_password

username: pix

password: internal_pix_enable_password

*this takes awhile to timeout tacacs before accepting it*

pix> enable

username: pix

password: intermal_pix_enable_password

pix#

---------------------------------------------------

pix version 6.2(2)

with tacacs available

username: tacacs_username

password: tacacs_password

pix> enable

password: tacacs_configured_enable_password

pix#

without tacacs available

username: pix

password: internal_pix_enable_password

*takes awhile*

pix> enable

password: internal_pix_enable_password

*takes awhile*

pix#

this is the default behaviour of the pix. I only configured tacacs for login and enable on the pix. The recovery fuctionally is built into the pix as long as you have a password and enable password configured on the pix. Let me know if you have any other questions.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents