FWSM, SSH and AAA authentication

Discussion in 'Cisco' started by mikester, Dec 5, 2003.

  1. mikester

    mikester Guest

    So, here's the aaa setup on this firewall services module;

    firewall# sho aaa
    aaa authentication ssh console <tag>
    aaa authentication enable console <tag>
    firewall# sho aaa-server
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server <tag> protocol tacacs+
    aaa-server <tag> (inside) host <ip> <tag> timeout 5
    aaa-server <tag> (inside) host <ip> <tag> timeout 5

    That setup allows me to use SSH to access the FWSM under normal
    operations. Normal being that the TACACS servers are up and operation.
    Well, what about abnormal? Abnormal would be when the TACACS servers
    are down and under those circumstances it seems I am *NOT* able to
    loging via SSH. Since there is no username to authenticate and no
    method to authenticate too other than local - would that mean that if
    I have disabled all other forms of access - in this case I would be S
    O L on access until the TACACS servers were available again?

    There was some speculation that I could use "pix" as the username and
    then the enable password as the password but that did not with either.

    I'm just trying to plan for emergencies, bear in mind that in this
    scenario I can still "telnet" in via the switch that the FWSM is in
    via the "session" command. I was hoping to lock that down a bit as
    well though.

    Let me know what your experience is,

    The Mikester
    mikester, Dec 5, 2003
    #1
    1. Advertising

  2. mikester

    Rik Bain Guest

    On Fri, 05 Dec 2003 16:44:29 -0600, mikester wrote:

    > So, here's the aaa setup on this firewall services module;
    >
    > firewall# sho aaa
    > aaa authentication ssh console <tag>
    > aaa authentication enable console <tag> firewall# sho aaa-server
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > aaa-server <tag> protocol tacacs+
    > aaa-server <tag> (inside) host <ip> <tag> timeout 5 aaa-server <tag>
    > (inside) host <ip> <tag> timeout 5
    >
    > That setup allows me to use SSH to access the FWSM under normal
    > operations. Normal being that the TACACS servers are up and operation.
    > Well, what about abnormal? Abnormal would be when the TACACS servers are
    > down and under those circumstances it seems I am *NOT* able to loging
    > via SSH. Since there is no username to authenticate and no method to
    > authenticate too other than local - would that mean that if I have
    > disabled all other forms of access - in this case I would be S O L on
    > access until the TACACS servers were available again?
    >
    > There was some speculation that I could use "pix" as the username and
    > then the enable password as the password but that did not with either.
    >
    > I'm just trying to plan for emergencies, bear in mind that in this
    > scenario I can still "telnet" in via the switch that the FWSM is in via
    > the "session" command. I was hoping to lock that down a bit as well
    > though.
    >
    > Let me know what your experience is,
    >
    > The Mikester


    Try pix as username and the enable password for password.
    Rik Bain, Dec 5, 2003
    #2
    1. Advertising

  3. mikester

    mikester Guest

    Rik Bain <> wrote in message news:<>...
    > On Fri, 05 Dec 2003 16:44:29 -0600, mikester wrote:
    >
    > > So, here's the aaa setup on this firewall services module;
    > >
    > > firewall# sho aaa
    > > aaa authentication ssh console <tag>
    > > aaa authentication enable console <tag> firewall# sho aaa-server
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server RADIUS protocol radius
    > > aaa-server LOCAL protocol local
    > > aaa-server <tag> protocol tacacs+
    > > aaa-server <tag> (inside) host <ip> <tag> timeout 5 aaa-server <tag>
    > > (inside) host <ip> <tag> timeout 5
    > >
    > > That setup allows me to use SSH to access the FWSM under normal
    > > operations. Normal being that the TACACS servers are up and operation.
    > > Well, what about abnormal? Abnormal would be when the TACACS servers are
    > > down and under those circumstances it seems I am *NOT* able to loging
    > > via SSH. Since there is no username to authenticate and no method to
    > > authenticate too other than local - would that mean that if I have
    > > disabled all other forms of access - in this case I would be S O L on
    > > access until the TACACS servers were available again?
    > >
    > > There was some speculation that I could use "pix" as the username and
    > > then the enable password as the password but that did not with either.
    > >
    > > I'm just trying to plan for emergencies, bear in mind that in this
    > > scenario I can still "telnet" in via the switch that the FWSM is in via
    > > the "session" command. I was hoping to lock that down a bit as well
    > > though.
    > >
    > > Let me know what your experience is,
    > >
    > > The Mikester

    >
    > Try pix as username and the enable password for password.


    That does not work (Tried that with our TAC Engineer).
    mikester, Dec 6, 2003
    #3
  4. mikester

    Gog

    Joined:
    Apr 26, 2009
    Messages:
    1
    Try pix and the telnet or VTY 0 4 level password.

    Regards Gog
    Gog, Apr 26, 2009
    #4
  5. mikester

    shadow54682

    Joined:
    Jun 8, 2009
    Messages:
    1

    In regards to you getting locked out when the AAA server goes down, it's because you do not currently have your device setup to use the local username/password on your FWSM as a backup (should the FWSM lose connectivity to the AAA server).

    Try this:

    aaa authentication ssh console <tag> LOCAL
    aaa authentication enable console <tag> LOCAL

    Add the "LOCAL" (case sensitive) to the end of your "aaa authentication" commands and see if your "pix" username works. For my setup, I have to use the same password I use for user mode as I do for privileged mode. I'm not sure if your setup will function the same way or if it will require the enable password also.
    shadow54682, Jun 8, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. sharqi

    aaa authentication via http

    sharqi, Dec 15, 2003, in forum: Cisco
    Replies:
    0
    Views:
    609
    sharqi
    Dec 15, 2003
  2. Rick
    Replies:
    0
    Views:
    2,284
  3. Chris_D
    Replies:
    4
    Views:
    3,411
    Chris_D
    Aug 1, 2005
  4. Tilman Schmidt
    Replies:
    0
    Views:
    398
    Tilman Schmidt
    Jul 4, 2007
  5. Tilman Schmidt
    Replies:
    0
    Views:
    939
    Tilman Schmidt
    Jan 4, 2008
Loading...

Share This Page