[c-nsp] TACACS+ and PIX

Brant I. Stevens branto at branto.com
Thu Dec 16 19:56:53 EST 2004


Using AAA authentication for the enable password is fine, until the TACACS
server is down, and you need to get in via the console server.  Supposedly,
this issue is fixed in 6.3.4, but I've never tested it, nor did I mess
around with the command authorization.

I would definitely stick to the "shared" enable password for just such an
occasion.


On 12/16/2004 07:23 PM, "Brian Feeny" <signal at shreve.net> wrote:

> 
> I have not done TACACS+ with the PIX, and tried to bring up a PIX today
> and was not
> able to enable using TACACS+.  I am using a free TACACS+ server:
> 
> On the PIX:
> 
> aaa-server tacserver protocol tacacs+
> aaa-server tacserver max-failed-attempts 3
> aaa-server tacserver deadtime 10
> aaa-server tacserver (outside) host x.x.x.x somekey timeout 10
> aaa authentication ssh console tacserver
> aaa authentication enable console tacserver
> 
> On the TACACS+ Server:
> 
> host = x.x.x.x {
>           key = somekey
>           type = cisco
>           enable = cleartext somesecret
>   }
> 
> 
> Usernames authenticate fine.  Just enable that isn't working.  I setup
> host clauses like the above on TACACS+ servers
> for switches and routers all just like that, and they never have a
> problem, so I was wondering if the PIX has to be setup different.
> The "good" documentation on the free TACACS+ servers is pretty lacking.
> 
> Its almost like the PIX doesnt do host based enableing via TACACS+ but
> wants to do username level.  If so, perhaps there is a way to set an
> enable password, or a second password to a user clause?
> 
> Appreciate any help,
> 
> Brian
> 
> ---------------------------------------------
> Brian Feeny, CCIE #8036, CISSP
> Network Engineer
> ShreveNet Inc.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list