03-24-2005 07:04 AM - edited 02-21-2020 12:02 AM
Hi,
I manage many PIX in my company... but other people too...
I would like to put a special access for me (same username et password on all my PIX).
I can do that :
user toto password titi priv 15
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
but in this case, we can't access with "virtual user" : pix !!!
My problem is that I want both access... of course, I don't have the "pix user" password ! I don't manage it.
Is it possible to do that or not ?
Second, will IOS 7 be ok with 501 and 506 ? and when ?
Thanks
03-25-2005 11:46 PM
hello thibaut
once you enable LOCAL authentication, it will search for a valid username/password on the local database. you need to create any virtual user on pix to allow authentcation using that. you can also do authorization locally and assign privilege levels to each user.. you can have admin privilege of 15 and u can assign another user will privilege 4, allowing him only acces to show commands..
eg
username aaa password pass1 privilege 5
privilege show level 5 command alias
privilege show level 5 command apply
privilege show level 5 command arp
Only the above show commands will be displayed for the user aaa...
PIX 7.0 will not be supported by 501 & 506.. You need to have a 515 atleast to support this
hope this helps.. all the best.. rate replies if found useful..
Raj
03-28-2005 10:47 PM
Hi,
I believe you don't understand me... I want to keep "pix" user but I want to create an other user with privilege 15 (that's ok) ; but when I do that :
user toto password titi priv 15
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
"pix" user is disabled... how do I have 2 accounts "pix" and "toto" enabled ?
Thanks
03-28-2005 11:25 PM
Hi Thibaut:
This is a very interesting scenario. As sajinraja pointed out on the previous post, once AAA authentication for ssh/telnet is enabled using LOCAL or RADIUS/TACACS+ database, the default "pix" username for ssh authentication is no longer in effect.
So the workaround for this is to create a username "pix" on your RADIUS or TACACS+ server, assign privilege 15 and same enable password for that user and enable AAA authentication pointing to the RADIUS/TACACS+ server.
Please note that you cannot create the user "pix" on your PIX LOCAL database, as the minimum length of username is 4 characters, and unfortunately 'pix' is only 3-character long.
[ Error message received when trying to create a local account called 'pix' ]
pixfirewall(config)# username pix password ww privilege 15
Minimum allowed username length is 4
See the following documentation for more information on AAA Authentication/Authorization on PIX:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml
Sincerely,
Binh
03-28-2005 11:33 PM
ooos.. Binh is right.. forgot the min character length parameter !!!! why do you specifically want only the username to be pix ? create some other username or use a radius or tacacs server...
Thanks Binh for the clarification
Raj
03-28-2005 11:30 PM
create another usrename.. thats it..
user pix password pix priv 15
Raj
03-28-2005 11:32 PM
Sachinraja:
You cannot create a local username called 'pix'. See my post above. This is due to the minimum length requirement for local account on PIX (4 characters).
Sincerely,
Binh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide