FWSM, SSH and AAA authentication

Discussion in 'Cisco' started by mikester, Dec 5, 2003.

  1. mikester

    mikester Guest

    So, here's the aaa setup on this firewall services module;

    firewall# sho aaa
    aaa authentication ssh console <tag>
    aaa authentication enable console <tag>
    firewall# sho aaa-server
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server <tag> protocol tacacs+
    aaa-server <tag> (inside) host <ip> <tag> timeout 5
    aaa-server <tag> (inside) host <ip> <tag> timeout 5

    That setup allows me to use SSH to access the FWSM under normal
    operations. Normal being that the TACACS servers are up and operation.
    Well, what about abnormal? Abnormal would be when the TACACS servers
    are down and under those circumstances it seems I am *NOT* able to
    loging via SSH. Since there is no username to authenticate and no
    method to authenticate too other than local - would that mean that if
    I have disabled all other forms of access - in this case I would be S
    O L on access until the TACACS servers were available again?

    There was some speculation that I could use "pix" as the username and
    then the enable password as the password but that did not with either.

    I'm just trying to plan for emergencies, bear in mind that in this
    scenario I can still "telnet" in via the switch that the FWSM is in
    via the "session" command. I was hoping to lock that down a bit as
    well though.

    Let me know what your experience is,

    The Mikester
    mikester, Dec 5, 2003
    1. Advertisements

  2. mikester

    Rik Bain Guest

    Try pix as username and the enable password for password.
    Rik Bain, Dec 5, 2003
    1. Advertisements

  3. mikester

    mikester Guest

    That does not work (Tried that with our TAC Engineer).
    mikester, Dec 6, 2003
  4. mikester


    Apr 26, 2009
    Likes Received:
    Try pix and the telnet or VTY 0 4 level password.

    Regards Gog
    Gog, Apr 26, 2009
  5. mikester


    Jun 8, 2009
    Likes Received:

    In regards to you getting locked out when the AAA server goes down, it's because you do not currently have your device setup to use the local username/password on your FWSM as a backup (should the FWSM lose connectivity to the AAA server).

    Try this:

    aaa authentication ssh console <tag> LOCAL
    aaa authentication enable console <tag> LOCAL

    Add the "LOCAL" (case sensitive) to the end of your "aaa authentication" commands and see if your "pix" username works. For my setup, I have to use the same password I use for user mode as I do for privileged mode. I'm not sure if your setup will function the same way or if it will require the enable password also.
    shadow54682, Jun 8, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.