[c-nsp] TACACS+ and PIX
Brian Feeny
signal at shreve.net
Thu Dec 16 19:23:27 EST 2004
I have not done TACACS+ with the PIX, and tried to bring up a PIX today
and was not
able to enable using TACACS+. I am using a free TACACS+ server:
On the PIX:
aaa-server tacserver protocol tacacs+
aaa-server tacserver max-failed-attempts 3
aaa-server tacserver deadtime 10
aaa-server tacserver (outside) host x.x.x.x somekey timeout 10
aaa authentication ssh console tacserver
aaa authentication enable console tacserver
On the TACACS+ Server:
host = x.x.x.x {
key = somekey
type = cisco
enable = cleartext somesecret
}
Usernames authenticate fine. Just enable that isn't working. I setup
host clauses like the above on TACACS+ servers
for switches and routers all just like that, and they never have a
problem, so I was wondering if the PIX has to be setup different.
The "good" documentation on the free TACACS+ servers is pretty lacking.
Its almost like the PIX doesnt do host based enableing via TACACS+ but
wants to do username level. If so, perhaps there is a way to set an
enable password, or a second password to a user clause?
Appreciate any help,
Brian
---------------------------------------------
Brian Feeny, CCIE #8036, CISSP
Network Engineer
ShreveNet Inc.
More information about the cisco-nsp
mailing list