Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
918
Views
0
Helpful
8
Replies

Disable default "pix" account on PIX Firewall

matt.austin
Level 1
Level 1

‎04-25-2005 05:24 AM - edited ‎02-21-2020 12:06 AM

Can anyone tell me how to go about removing or disabling the default "pix" account that is hidden and on the PIX device?

0 Helpful
8 Replies 8

nkhawaja
Cisco Employee
Cisco Employee

‎04-25-2005 11:22 AM

not sure on this, but you can turn on AAA and use ACS or other AAA server or local user database

0 Helpful

bphan
Level 1
Level 1
In response to nkhawaja

‎04-25-2005 11:43 PM

To add to what Nadeem said, when you use AAA authentication, whether with local or remote auth protocol (RAIDIUS/TACACS+) as your authentication for ssh authentication, it overwrites the default 'pix'/enable password authentication.

In other words, with

aaa authentication console ssh LOCAL

or

aaa authentication console ssh

You would be still be prompted for username/password but you will enter your the username on local PIX or RADIUS/TACACS+ database and password to login via SSH.

Hope that helps.

Thanks,

Binh

0 Helpful

matt.austin
Level 1
Level 1
In response to nkhawaja

‎04-26-2005 03:57 AM

Well, I have enabled SSH on the outside interface, but if someone were to know our passwords, they would still be able to login with the ID of pix, with whatever we were to set our password to. The thing is, I would like to set that id to a priv. level that enables it to do nothing, basically, but since the ID is hidden, I can't do that either, unless I use AAA, which I don't want to on our Security equipment, as too many people have admin access to the ACS, and have the ability to alter the NAR's if they want. I am going to see about opening a TAC case on this. I appreciate your "fix", as I know it will work for this, but it is just something that I am not wanting to use in this particular case! I'll post if I hear any other information from TAC.

0 Helpful

pkapoor
Level 3
Level 3
In response to matt.austin

‎04-26-2005 05:49 AM

No way to get rid of the "pix" default account.

0 Helpful

pkapoor
Level 3
Level 3
In response to matt.austin

‎04-26-2005 05:49 AM

No way to get rid of the "pix" default account (unless Cisco has come up with something on 7.x OS version).

0 Helpful

matt.austin
Level 1
Level 1
In response to pkapoor

‎04-26-2005 08:42 AM

Kind of what I was thinking, especially since it isn't documented anywhere. I opened a TAC case, so I will post what they state.

Thanks,

Matt

0 Helpful

pkapoor
Level 3
Level 3
In response to matt.austin

‎04-26-2005 09:39 AM

They will give you the same answer. But if any different, please let us know.

(I used to work at Cisco TAC - PIX Firewalls & VPN)

0 Helpful

matt.austin
Level 1
Level 1
In response to pkapoor

‎04-26-2005 12:23 PM

Well, here is the official word from Cisco TAC:

The only way to "disable" the default ssh username "pix" is to enable aaa authentication using either a radius or tacacs+ server. Then as long as the server is reachable and working the "pix" username will not work.

However, if the server is not available then you will be able to revert to the standy of "username pix" and the enable password (instead of the telnet password).

There is no way to completely disable the pix username account for SSH.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card