Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1224
Views
0
Helpful
0
Comments

TACACS+ or RADIUS authentication fails to work with the PIX firewall

TCC_2
Level 10
Level 10

‎06-18-2009 03:56 PM - edited ‎02-21-2020 09:54 PM

Core issue

Authentication can fail for many reasons, but these are two of the commonly known reasons:

  • The PIX firewall cannot reach the authentication server.

  • The Authentication, Authorization, and Accounting (AAA) server does not respond to the authentication request from the PIX before the authentication request times out.

Resolution

In order to resolve this issue, complete these steps:

  1. Check the connectivity between the PIX and the server:
       

    • If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.

      aaa-server group_tag (if_name) host server_ip key timeout 5     

    • If Terminal Access Controller Access Control System (TACACS+) is used, verify that the PIX and the server communicate on the same port, Transmission Control Protocol (TCP)/49.

             
    • If Remote Authentication Dial-In User Service (RADIUS) is used, verify that the PIX and the server communicate on the User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server uses port 1812, verify that the PIX uses software version 6.0 or later. Then, issue the aaa-server radius-authport 1812 command in order to specify port 1812.

       
  2. Ensure that the secret key is correct.

       
  3. If the network traffic is extremely high, or packet loss is present, increase the timeout for authentication requests. From the PIX command line interface, issue the aaa-server group_tag (if_name) host server_ip key timeout seconds command, and increase the time in seconds to a larger value, such as 20 or 30 seconds. Check the server logs for failed attempts. All servers have some kind of logging function.
       

Problem Type

Connectivity to the device

Troubleshoot software feature

Product Family

Cisco Secure access control server

Firewall - PIX 500 series

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents