Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
946
Views
4
Helpful
3
Replies

PIX TACACS+ authentication when server not available

marl.beynon
Level 1
Level 1

‎07-20-2004 06:12 AM - edited ‎03-10-2019 07:55 AM

Can anyonbe help me with this...

on a cisco router you can configure it to attempt to authenticate against the ACS server, and fail over to the local password.

I want to set up the same on a PIX firewall, but can find no way to get it to use a local password when the server is unavailable.

Any pointers.

thanks

Labels:
0 Helpful
3 Replies 3

wnspenny
Level 4
Level 4

‎08-09-2004 03:58 PM

You have to be on the new PIX code, 6.3(4) that came out a few weeks ago. It allows a aaa failback.

Here are the commands to do it. In this example, I named the aaa server group TACACS+.

aaa-server TACACS+ (inside) host XXX.XXX.XXX.XXX {ACS_KEY} timeout {10}

aaa authentication ssh console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

You can also use the aaa authorization command for ACS command authorization.

aaa authorization command TACACS+ LOCAL

The problem I'm having with this is that I can't console into the PIX while authorizing to the ACS Server.

0 Helpful

arturo.reyna
Level 1
Level 1
In response to wnspenny

‎08-25-2004 04:25 PM

Thanks a lot.

0 Helpful

MARK BAKER
Level 4
Level 4

‎08-19-2004 11:16 AM

with pix 5.0(3)

with tacacs available

pix password: pix_internal_password

username: tacacs_user_name

password: tacacs_password

pix> enable

username: tacacs_user_name

password: tacacs_passord

pix#

when tacacs is down

pix password: internal_pix_password

username: pix

password: internal_pix_enable_password

*this takes awhile to timeout tacacs before accepting it*

pix> enable

username: pix

password: intermal_pix_enable_password

pix#

---------------------------------------------------

pix version 6.2(2)

with tacacs available

username: tacacs_username

password: tacacs_password

pix> enable

password: tacacs_configured_enable_password

pix#

without tacacs available

username: pix

password: internal_pix_enable_password

*takes awhile*

pix> enable

password: internal_pix_enable_password

*takes awhile*

pix#

this is the default behaviour of the pix. I only configured tacacs for login and enable on the pix. The recovery fuctionally is built into the pix as long as you have a password and enable password configured on the pix. Let me know if you have any other questions.

Customers Also Viewed These Support Documents