Solved: aaa authorization and unavailable TACACS server scenario

dladen · ‎03-18-2003

I have setup a PIX to authentication users for telnet and enable access. I have setup authorization so a subset of users can only run show commands. This all works as expected.

The problem is when I simulate and network outage and try to get console access to the PIX. I cannot run the enable command because the command cannot be authorized. I would have to use password recovery means to gain access to the PIX. How do I get around this? Can I have the command authorization handled locally? Can I associated the show command with a lower priveledge level? If so, how and how do I limit user to that privledge level (via TACACS)? What do I forfeit by doing so?

Thanks

tepatel · ‎03-18-2003

If the PIX is configured for TACACS authentiaction and TACACS server is not available to authenticate, there is no way to fallback or get around of this issue at this time.

You can configure the pix to fallback to local authentication if tacacs is not available.

Next release (i think 6.3 and above) will have a that feature available.

View solution in original post

tepatel · ‎03-18-2003

If the PIX is configured for TACACS authentiaction and TACACS server is not available to authenticate, there is no way to fallback or get around of this issue at this time.

You can configure the pix to fallback to local authentication if tacacs is not available.

Next release (i think 6.3 and above) will have a that feature available.