Re: user under PIX

thibaut.leduc · ‎03-24-2005

Hi,

I manage many PIX in my company... but other people too...

I would like to put a special access for me (same username et password on all my PIX).

I can do that :

user toto password titi priv 15

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

but in this case, we can't access with "virtual user" : pix !!!

My problem is that I want both access... of course, I don't have the "pix user" password ! I don't manage it.

Is it possible to do that or not ?

Second, will IOS 7 be ok with 501 and 506 ? and when ?

Thanks

sachinraja · ‎03-25-2005

hello thibaut

once you enable LOCAL authentication, it will search for a valid username/password on the local database. you need to create any virtual user on pix to allow authentcation using that. you can also do authorization locally and assign privilege levels to each user.. you can have admin privilege of 15 and u can assign another user will privilege 4, allowing him only acces to show commands..

eg

username aaa password pass1 privilege 5

privilege show level 5 command alias

privilege show level 5 command apply

privilege show level 5 command arp

Only the above show commands will be displayed for the user aaa...

PIX 7.0 will not be supported by 501 & 506.. You need to have a 515 atleast to support this

hope this helps.. all the best.. rate replies if found useful..

Raj

thibaut.leduc · ‎03-28-2005

Hi,

I believe you don't understand me... I want to keep "pix" user but I want to create an other user with privilege 15 (that's ok) ; but when I do that :

user toto password titi priv 15

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

"pix" user is disabled... how do I have 2 accounts "pix" and "toto" enabled ?

Thanks

bphan · ‎03-28-2005

Hi Thibaut:

This is a very interesting scenario. As sajinraja pointed out on the previous post, once AAA authentication for ssh/telnet is enabled using LOCAL or RADIUS/TACACS+ database, the default "pix" username for ssh authentication is no longer in effect.

So the workaround for this is to create a username "pix" on your RADIUS or TACACS+ server, assign privilege 15 and same enable password for that user and enable AAA authentication pointing to the RADIUS/TACACS+ server.

Please note that you cannot create the user "pix" on your PIX LOCAL database, as the minimum length of username is 4 characters, and unfortunately 'pix' is only 3-character long.

[ Error message received when trying to create a local account called 'pix' ]

pixfirewall(config)# username pix password ww privilege 15

Minimum allowed username length is 4

See the following documentation for more information on AAA Authentication/Authorization on PIX:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml

Sincerely,

Binh

sachinraja · ‎03-28-2005

ooos.. Binh is right.. forgot the min character length parameter !!!! why do you specifically want only the username to be pix ? create some other username or use a radius or tacacs server...

Thanks Binh for the clarification

Raj

sachinraja · ‎03-28-2005

create another usrename.. thats it..

user pix password pix priv 15

Raj

bphan · ‎03-28-2005

Sachinraja:

You cannot create a local username called 'pix'. See my post above. This is due to the minimum length requirement for local account on PIX (4 characters).

Sincerely,

Binh