PIX vs IOS AAA Authentication commands

Discussion in 'Cisco' started by mikester, May 26, 2004.

  1. mikester

    mikester Guest

    I've got an issue with my PIX firewall's AAA configuration.

    Background though, if you look at an IOS router's AAA authentication
    it has safe guards against the aaa servers not being available.

    So, you tell it which order to check for sources of authentication and
    of course the last in that string is "enable" meaning that if all else
    fails to respond - the enable will get you access.

    Can the pix do this?

    From what I can tell, no - it can't. But I'm hoping that someone else
    knows better.

    Here's what I have at the moment;

    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa-server SECACS protocol tacacs+
    aaa-server SECACS (inside) host <ip> <key> timeout 5
    aaa-server SECACS (inside) host <ip> <key> timeout 5
    aaa authentication ssh console SECACS
    aaa authentication enable console SECACS


    Again, my goal is to have the ability to console in and get
    configuration access via the enable even if my AAA server is not
    responding.

    Thanks!

    The Mikester
     
    mikester, May 26, 2004
    #1
    1. Advertisements

  2. mikester

    Patrick Guest

    Mikester,

    If the configured AAA server is unreachable, the PIX will use username
    "pix" and the enable password as the password.

    However, as far a I know this can only be done when connecting via the
    console. Maybe this has changed in the latest versions, but someone
    else could probably conform or deny this.


    Patrick
     
    Patrick, May 26, 2004
    #2
    1. Advertisements

  3. mikester

    mikester Guest


    Let me Clarify this a bit, the device is actually a Firewall Services
    module. So I can't actually console to it at all. The session command
    is how we access it when we aren't SSH'ing directly to it. The session
    command actually does a telnet to a loopback so that isn't really
    "console" either even if I do it from the console of the switch.

    So...

    When the ACS server fails for any reason - even the pix/enable combo
    won't work.

    More ideas or experiences with this are welcome.

    The Mikester
     
    mikester, May 28, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.