PIX login-authentication via TACACS - failover local

Discussion in 'Cisco' started by cru, Jun 1, 2004.

  1. cru

    cru Guest

    hello, i have some pix(version 6.2, 6.3) which are currently doing
    login-authentication(ssh) against local defined users. Now i want to
    use a TACACS-Server for user-authentication and command-authorization.
    But in the case of failure (TACACS down), the PIX should fallback to
    local authentication.
    Has anybody else a setup like this?

    thanks in advance,
    nver
     
    cru, Jun 1, 2004
    #1
    1. Advertising

  2. cru

    mikester Guest

    (cru) wrote in message news:<>...
    > hello, i have some pix(version 6.2, 6.3) which are currently doing
    > login-authentication(ssh) against local defined users. Now i want to
    > use a TACACS-Server for user-authentication and command-authorization.
    > But in the case of failure (TACACS down), the PIX should fallback to
    > local authentication.
    > Has anybody else a setup like this?
    >
    > thanks in advance,
    > nver



    If you have a true PIX and not a FWSM then you have options. With a
    configuration similar to the following you should be able to use
    TACACS+ Auth via ssh but the Console would still use the local
    authentication in case of emergency.

    aaa authentication ssh console TACACS
    aaa authentication enable LOCAL


    If your TACACS+ server was unreachable for some reason I 'THINK' that
    you should be able to log in with the user "pix" and the password of
    either 'cisco' or the current enable. I've never tried this myself
    (might try it today) but I have read and heard it a number of times.
    Otherwise, you would still have the console and could use the local
    authentication to access it there.

    The PIX doesn't seem to support a true backup authentication schema
    like an IOS router does where you can list in order the methods for
    authentication.

    i.e. aaa authentication login default group tacacs+ enable

    Correct me if I'm wrong please!

    The Mikester
     
    mikester, Jun 2, 2004
    #2
    1. Advertising

  3. (cru) wrote in message news:<>...
    > hello, i have some pix(version 6.2, 6.3) which are currently doing
    > login-authentication(ssh) against local defined users. Now i want to
    > use a TACACS-Server for user-authentication and command-authorization.
    > But in the case of failure (TACACS down), the PIX should fallback to
    > local authentication.
    > Has anybody else a setup like this?
    >
    > thanks in advance,
    > nver


    I don't believe PIX OS supports multiple authorization commands. By
    contrast, IOS supports multiple authorization commands, e.g.

    "aaa authorization commands 15 default tacacs+ local"

    would enable authorization commands for privilege level 15 from
    tacacs+ first, then failing to local.

    For PIX devices, if redundant tacacs+ servers and connections fail,
    then it's time for:

    http://www.cisco.com/warp/public/110/34.shtml

    --Jerome
     
    jerome benton, Jun 2, 2004
    #3
  4. cru

    mikester Guest

    (jerome benton) wrote in message news:<>...
    > (cru) wrote in message news:<>...
    > > hello, i have some pix(version 6.2, 6.3) which are currently doing
    > > login-authentication(ssh) against local defined users. Now i want to
    > > use a TACACS-Server for user-authentication and command-authorization.
    > > But in the case of failure (TACACS down), the PIX should fallback to
    > > local authentication.
    > > Has anybody else a setup like this?
    > >
    > > thanks in advance,
    > > nver

    >
    > I don't believe PIX OS supports multiple authorization commands. By
    > contrast, IOS supports multiple authorization commands, e.g.
    >
    > "aaa authorization commands 15 default tacacs+ local"
    >
    > would enable authorization commands for privilege level 15 from
    > tacacs+ first, then failing to local.
    >
    > For PIX devices, if redundant tacacs+ servers and connections fail,
    > then it's time for:
    >
    > http://www.cisco.com/warp/public/110/34.shtml
    >
    > --Jerome



    I'd love to see this work, but I put it in my 501 and this is what I got.

    sonic(config)# aaa authorization command 15 default tacacs+ local
    service must be: "telnet", "ftp", "http", "none", "udp/<port>" or "tcp/<port>"
    Usage: [no] aaa mac-exempt match <mcl-id>
    [no] aaa authentication secure-http-client
    [no] aaa authentication|authorization|accounting include|exclude <svc>
    <if_name> <l_ip> <l_mask> [<f_ip> <f_mask>] <server_tag>
    [no] aaa authentication serial|telnet|ssh|http|enable console
    <server_tag>
    [no] aaa authentication|authorization|accounting match <acl_name>
    <if_name> <server_tag>
    [no] aaa authorization command {LOCAL | tacacs_server_tag}
    aaa proxy-limit <proxy limit> | disable
     
    mikester, Jun 4, 2004
    #4
  5. cru

    PF-Gizmo

    Joined:
    Mar 13, 2008
    Messages:
    1
    PIX login-authentication via TACACS - failover local

    PIX will let you define TACACS+ local but that doesn't mean it will actually work...

    Full Config to Redundant Cisco ACS Servers is something like:

    aaa-server AuthServ protocol radius
    aaa-server AuthServ host 1stIPADDRESS
    key VALUE
    aaa-server AuthServ host 2ndIPADDRESS
    key VALUE
    aaa authentication ssh console AuthServ LOCAL
    aaa authentication telnet console AuthServ LOCAL
    aaa authentication enable console AuthServ LOCAL

    Pre 7.X:
    aaa-server AuthServ host 1stIPADDRESS key VALUE
    vs. on seperate lines.

    Hope this helps
     
    PF-Gizmo, Mar 13, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tejlor
    Replies:
    2
    Views:
    2,284
    tejlor
    Nov 25, 2003
  2. Mike
    Replies:
    2
    Views:
    1,002
  3. Replies:
    2
    Views:
    580
    Scott Perry
    Jun 25, 2008
  4. Pit
    Replies:
    0
    Views:
    1,164
  5. asidko
    Replies:
    0
    Views:
    1,890
    asidko
    Apr 5, 2010
Loading...

Share This Page