Cisco Pix and ACS

Discussion in 'Cisco' started by Trippbit, Nov 3, 2004.

  1. Trippbit

    Trippbit Guest

    Trying to get a pix (6.3(3)) to work with CSACS 3.3 using command
    authorization. When I turn the authorization command on on the pix
    all commands fail, even through they are set up to permit them in the
    ACS. Another problem that I have is this; Is there a way to have a
    user automatically drop into enable more or have a different enable
    password. What I'm trying to do is to setup a couple of users that
    can only perform a short list of commands like ping and show X etc.
    Any insite on this would be very much appreciated.

    Thanks,
    -Brian
     
    Trippbit, Nov 3, 2004
    #1
    1. Advertising

  2. Trippbit

    Heywood Guest

    Yes, what you're asking for is definitely possible. I had a similar config
    that permitted certain users to execute only certain commands. You will
    need to assign users to groups in ACS and permit the desired commands at the
    group level, or configure each user individually. You specify which
    commands are permitted and which are denied in a fairly confusing manner.
    If you don't see the command authorization section in your user/group
    config, make sure it is turned on in the ACS settings.

    As for all commands failing, that usually means the PIX is unable to
    communicate with the ACS server. Is there another firewall in between? Is
    the security key correct between the PIX and the ACS? Does the ACS show
    failed or passed logins from the PIX? You may also need to permit level 15
    command authorization in the ACS user config.

    I hope some of this helps. I know I didn't get very specific, but it's been
    a while since I configured it.

    Matt

    "Trippbit" <> wrote in message
    news:...
    > Trying to get a pix (6.3(3)) to work with CSACS 3.3 using command
    > authorization. When I turn the authorization command on on the pix
    > all commands fail, even through they are set up to permit them in the
    > ACS. Another problem that I have is this; Is there a way to have a
    > user automatically drop into enable more or have a different enable
    > password. What I'm trying to do is to setup a couple of users that
    > can only perform a short list of commands like ping and show X etc.
    > Any insite on this would be very much appreciated.
    >
    > Thanks,
    > -Brian
     
    Heywood, Nov 3, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. erms
    Replies:
    0
    Views:
    413
  2. Chris_D
    Replies:
    4
    Views:
    3,470
    Chris_D
    Aug 1, 2005
  3. Replies:
    1
    Views:
    942
    Walter Roberson
    Dec 23, 2005
  4. wooying
    Replies:
    1
    Views:
    1,380
    www.BradReese.Com
    Jan 16, 2007
  5. Sakirana Karabudak

    Cannot login from ACS Admin -Cisco ACS 3.1

    Sakirana Karabudak, Dec 14, 2009, in forum: Cisco
    Replies:
    5
    Views:
    3,130
    Chino
    Dec 16, 2009
Loading...

Share This Page