PIX vs IOS AAA Authentication commands

Discussion started by mikester, May 26, 2004.

  mikester

    mikester Guest

    I've got an issue with my PIX firewall's AAA configuration.

    Background though, if you look at an IOS router's AAA authentication
    it has safe guards against the aaa servers not being available.

    So, you tell it which order to check for sources of authentication and
    of course the last in that string is "enable" meaning that if all else
    fails to respond - the enable will get you access.

    Can the pix do this?

    From what I can tell, no - it can't. But I'm hoping that someone else
    knows better.

    Here's what I have at the moment;

    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server SECACS protocol tacacs+
    aaa-server SECACS (inside) host <ip> <key> timeout 5
    aaa-server SECACS (inside) host <ip> <key> timeout 5
    aaa authentication ssh console SECACS
    aaa authentication enable console SECACS

    Again, my goal is to have the ability to console in and get
    configuration access via the enable even if my AAA server is not


    The Mikester
    mikester, May 26, 2004
  Patrick

    Patrick Guest


    If the configured AAA server is unreachable, the PIX will use username
    "pix" and the enable password as the password.

    However, as far a I know this can only be done when connecting via the
    console. Maybe this has changed in the latest versions, but someone
    else could probably conform or deny this.

    Patrick, May 26, 2004
  mikester

    mikester Guest

    Let me Clarify this a bit, the device is actually a Firewall Services
    module. So I can't actually console to it at all. The session command
    is how we access it when we aren't SSH'ing directly to it. The session
    command actually does a telnet to a loopback so that isn't really
    "console" either even if I do it from the console of the switch.


    When the ACS server fails for any reason - even the pix/enable combo
    won't work.

    More ideas or experiences with this are welcome.

    The Mikester
    mikester, May 28, 2004
