[c-nsp] TACACS+ and PIX

Brian Feeny signal at shreve.net
Thu Dec 16 23:33:22 EST 2004 


I did read about that.

But regardless, would be nice if I could figure out how to do AAA 
enable auth for the pix to a TACACS+ server, anyone know how to do 
this?

Brian

On Dec 16, 2004, at 6:56 PM, Brant I. Stevens wrote:

> Using AAA authentication for the enable password is fine, until the 
> TACACS
> server is down, and you need to get in via the console server.  
> Supposedly,
> this issue is fixed in 6.3.4, but I've never tested it, nor did I mess
> around with the command authorization.
>
> I would definitely stick to the "shared" enable password for just such 
> an
> occasion.
>
>
> On 12/16/2004 07:23 PM, "Brian Feeny" <signal at shreve.net> wrote:
>
>>
>> I have not done TACACS+ with the PIX, and tried to bring up a PIX 
>> today
>> and was not
>> able to enable using TACACS+.  I am using a free TACACS+ server:
>>
>> On the PIX:
>>
>> aaa-server tacserver protocol tacacs+
>> aaa-server tacserver max-failed-attempts 3
>> aaa-server tacserver deadtime 10
>> aaa-server tacserver (outside) host x.x.x.x somekey timeout 10
>> aaa authentication ssh console tacserver
>> aaa authentication enable console tacserver
>>
>> On the TACACS+ Server:
>>
>> host = x.x.x.x {
>>           key = somekey
>>           type = cisco
>>           enable = cleartext somesecret
>>   }
>>
>>
>> Usernames authenticate fine.  Just enable that isn't working.  I setup
>> host clauses like the above on TACACS+ servers
>> for switches and routers all just like that, and they never have a
>> problem, so I was wondering if the PIX has to be setup different.
>> The "good" documentation on the free TACACS+ servers is pretty 
>> lacking.
>>
>> Its almost like the PIX doesnt do host based enableing via TACACS+ but
>> wants to do username level.  If so, perhaps there is a way to set an
>> enable password, or a second password to a user clause?
>>
>> Appreciate any help,
>>
>> Brian
>>
>> ---------------------------------------------
>> Brian Feeny, CCIE #8036, CISSP
>> Network Engineer
>> ShreveNet Inc.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list