04-21-2003 01:15 PM - edited 03-10-2019 07:15 AM
I'm using CSACS v3.1 for Windows and several Cisco switches, routers and a PIX.
Below is the AAA config I'm using on the NASs. It works great if I telnet to the NAS, (I get a Username/PW prompt, and drop into "Privledged Mode") If I Console into the same NAS it drops me into "User Mode" I can type enable and use the enable secret password to get to "Privledged Mode" but that's not right! Is it NAS or ACS configuration problem?
Switches and Routers
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
ip tacacs source-interface Loopback0 (ON ROUTERS ONLY)
tacacs-server host x.x.x.x
tacacs-server key ***********
PIX
aaa-server TACSERVER protocol tacacs+
aaa-server TACSERVER (inside) host x.x.x.x ******** timeout 5
aaa authentication ssh console TACSERVER
aaa authentication telnet console TACSERVER
04-21-2003 04:40 PM
In IOS routers, authorization is turned off on the console by default. You have to turn it on with the hidden command:
> aaa authorization console
This was done cause many people were locking themselves out and had no way back in, so they designed the console as a back-door. Make sure your authorization is working properly before enabling it on the console.
On the PIX, you need the command:
> aaa authentication serial console TACSERVER
See http://www.cisco.com/warp/public/110/authtopix.shtml#enableauth for further details.
05-05-2003 07:14 AM
Thanks, the IOS routers and switches worked great! But the PIX command didn't work, if you login through the console, you are only in "User Mode" not "Enable Mode" Anything else I can try?
05-05-2003 03:34 PM
Sorry, there's no authorization for the console on a PIX, only for traffic going through the PIX. The command I gave you should at least get you prompted for a username/password, but that's all you're going to be able to do.
05-12-2003 12:54 PM
Are you saying there is no way to authenticate all the way to the PIX's "Privileged Mode" when using Cisco Secure ACS, like on Cisco IOS routers?
05-12-2003 07:15 PM
Hi,
Unlike router there is no way you will be taken to the privilege mode on the PIX firewall even if you define the priv-lvl 15 on the ACS. This is true for both console/telnet. Console authentication and the authorization (rather command authorization) work the same way as telnet on PIX. The difference between pix and router is, you have to have a seperate enable password to go to the enable mode (doesn't take you to enable mode directly) on pix. In the case of tacacs+, you need to define a seperate enable password on ACS with appropriate priv-lvl access to PIX (as nas) for enable authentication to work. This priv-lvl to PIX (as NAS) is the level of authorization user will get on the PIX after going to the enable mode. Radius uses the same password for first login and enable access (but you still need to enter the password twice - one is for first login and then for enable access). There is no concept of authorization (command authorization) with radius on the PIX.
I hope it clears up the confusion. Thanks,
Mynul
05-27-2003 07:51 AM
THANKS!
05-13-2003 03:26 AM
I'm trying to do the same thing on our routers, use ACS 3.1 to authenticate and take the user straight to a "priviledged mode". I've used the same config as you but I still get prompted for the "enable" password. Have you done anything specific in ACS or the router to enble this?
Thanks in advance.
Steve
05-13-2003 11:05 AM
Steve,
It should work with ACS 3.1. I am assuming that you are using tacacs+ to do that, please make sure that shell/Exec is checked and you assign the priv level to 2-15 on your ACS user or group profile.. Without this setup on ACS it will not take you directly to the enable mode. On the router all it requires the following lines:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
Thanks,
Mynul
04-12-2004 10:19 AM
I am trying the same on the pix. I know from the previous trial that we cannot fo to priviledge mode directly in pix. Is there any change of behaviour in pix 6.3
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide