[c-nsp] another tac_plus question regarding PIX firewalls

Ziv Leyes zivl at gilat.net
Tue Apr 6 02:25:37 EDT 2010 

In order to make those PIX work flawlessly with TACACS+ I've found that upgrading both pdm to 3.0(4) and image to 6.3(5) helped solving a few problems.


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Erik Witkop
Sent: Tuesday, April 06, 2010 4:38 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] another tac_plus question regarding PIX firewalls

So I am trying to setup AAA on some PIX firewalls and some ASA firewalls.

On my ASA firewalls running 8.x, the AAA with tacacs+ works great. Here 
is my ASA config:

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host 216.x.x.x
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting command TACACS+
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
aaa authorization exec authentication-server

The above all works great.

But here is my config on my  515 PIX running 6.3(3):

test-AAA-pix(config)# sho run | inc aaa
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host 216.x.x.x timeout 10
aaa-server LOCAL protocol local
aaa authentication ssh console TACACS+
aaa authentication enable console TACACS+   <-- this line is the 
problem. But why?
(I can't turn on authorization until I get the line above working)


SSH authentication works fine. But when I type 'enable' and then the 
enable password, the tac_plus server is sending back a FAIL message. Yet 
the same firewall commands and tac_plus configs work fine on the ASA. Why?

Here is the debug:

202:  Tacacs packet sent
203: Sending TACACS Start message. Session id: 1590929404l, seq no:1
204: Recevied TACACS packet. Session id:4238857054l  seq no:2
205: tacp_procpkt_authen: GETPASS
206: Authen Message: Password:
207: mk_pkt - type: 0x1, session_id: 208: mkpkt_continue - 
response:(this is the enable password on the firewall. I removed it from 
the debug)
209:  Tacacs packet sent
210: Sending TACACS Start message. Session id: 1590929404l, seq no:2
211: Recevied TACACS packet. Session id:4238857054l  seq no:4
212: tacp_procpkt_authen: FAIL
213: TACACS Session finished. Session id: 1590929404l, seq no: 4

tac_plus logs show nothing.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************

More information about the cisco-nsp mailing list